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APPENDIX 

MESSAGE  SWITCHING  NETWORK 


This  appendix  contains  a transcript  of  a session  with  SID  in  which  a simple  message 
switching  network  is  incrementally  designed  and  verified  using  a top-down  strategy. 
Interleaved  with  the  transcript  are  annotations  explaining  the  development.  This  commentary 
focuses  on  how  SID  is  used,  rather  than  on  SID's  internal  operation.  An  overview  of  what  SID 
does  in  various  situations  is  given  in  the  example  session  in  Section  1.2,  and  then  elaborated 
throughout  the  text. 

The  network,  which  allows  secure,  asynchronous  message  transfer  among  a fixed 
number  of  users,  is  developed  in  several  key  stages; 

• User/network  interfMce.  The  network  switches  messages  among  a 
fixed  number  of  user  processes.  These  processes  operate  concurrently  with 
the  network  and,  except  for  their  interface  with  the  network,  their  operation 
is  unspecified.  Each  user  process  communicates  with  the  network  through  a 
port,  as  shown  in  Fig.  A-i.  Each  port  consists  of  an  input  buffer  and  an 
output  buffer  and  has  an  associated  security  classification. 

• Network  specificMtion.  The  network  specification  states  that  the 
mail  received  by  user  J is  a subsequence  of  the  secure  mail  intended  for  J. 

This  requires  that  messages  for  each  port  arrive  in  the  same  order  they  were 
sent.  The  subsequence  relation  allows  messages  to  be  dropped  due  to 
unrecoverable  transmission  failures  or  security  violations.  This  property  is 
formaliied  using  a hierarchically-structured  collection  of  specifications. 

• Network  impIewentMtion  and  verification.  The  network  is 
implemented  as  a set  of  concurrently  running  message  switching  processes, 
with  each  switcher  accepting  messages  from  only  one  user  input  buffer  and 
routing  messages  to  any  output  buffer.  This  configuration  is  shown  in  Fig. 

A -2.  Also,  properties  about  the  switchers  are  stated  and  used  in  the 
verification  of  the  top-level  network  program.  These  specifications  say  that 
for  every  pair  of  ports  i,J,  the  mail  actually  sent  from  source  i to  destination  J 
is  a subsequence  of  the  secure  mail  from  i intended  for  J. 

• Switcher  implementation  and  verification.  The  switchers 
receive  messages,  determine  their  destination  and  check  security,  then  send 
the  message  if  nothing  is  wrong. 


j 

j 


J 


Figure  A-1 . User/network  interface 


• Message  implementation  and  verification.  Previously, 
messages  were  manipulated  without  knowledge  of  their  internal  structure. 

The  message  abstraction  is  now  implemented  as  a record  of  three  fields  - a 
source  identification,  a destination  identification,  and  the  message  text.  The 
functions  which  manipulate  the  internal  structure  of  messages  are  also 
implemented  and  verified,  completing  the  development, 
i 

j Until  the  last  stage,  several  partially-defined  programs  and  data  definitions  are  entered  and 

refined.  Annotations  relate  these  intermediate  stages  of  development  to  the  above  outline. 

The  transcript  can  be  read  at  several  levels  of  detail.  An  overview  is  obtained  by 
ignoring  specifics  of  the  code,  specifications,  VC  generation  trace,  and  proofs.  Focus  should  be 
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Figure  A-2.  Network  implementation 


on  the  kinds  of  things  being  done  and  their  relation  to  the  development  scenario  given  above. 

After  an  initial  reading,  the  transcript  can  be  studied  at  increasingly  finer  levels  of  detail. 

Annotations  and  status  summaries  aid  in  keeping  track  of  progress  and  context. 

Annotations,  in  addition  to  providing  general  commentary,  point  out  Important  transitions  In 
the  development.  Status  summaries  are  frequently  printed  by  SID  to  describe  the  current  state 
of  the  entire  development. 

As  in  Section  1.2,  lines  typed  by  a person  are  underlined  to  distinguish  them  from 
the  computer’s  response.  The  text  is  taken  verbatim  from  an  actual  session,  and  is  all  Inclusive 
except  where  explicitly  marked.  Italicized  lines  are  comments  describing  the  flow  of  the 
development.  The  final  version  of  the  network,  its  specifications,  and  all  used  lemmas  are 
displayed  at  the  end  of  the  session. 

Exec->  I 

Commandt  are!  Add,  Delate,  EDit,  EXplain,  Help,  PRInt,  PROva, 

Ratlere,  SAva,  SUtKest,  Translate,  Vcs,  TE,  f,  TT. 

Exec->  Suttest 

il 

H 

i < 


l?l 

i 


procMt  N«tworK(var  aUsarPorttUserPortArray; 

S«curily:SacurityArray)  > pending; 

type  UtarPoriArray  ■ array(Usarld)  of  UsarPort; 

type  Utarld  ■ lntagar[I..NUsart]; 

const  NUsars  ■ 100; 

type  UsarPort  ■ 

record  ( SysIntMsglnBuf; 


SysOuttMsgOutBuf 

); 

type  MsglnBuf  ■ buffer  (I ) of  Msg; 
type  MsgOutBuf  ■ buffer  (NUsers)  of  Msg; 
type  Msg  ■ pending; 

type  SacurityArray  ■ array([l.. NUsars])  of  SacurityClass; 
type  SacurityClass  ■ 

(unclassifiedtConfidentlat,sacret,topsecrat); 


No  syntax  errors  detected. 
No  semantic  errors  detected. 
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T/u  userinettaork  interface  Is  established  by  precisely  defining  the  parameters 
to  the  network.  The  implementation  of  messages  is  postponed. 


Sufc««t  fully  defining  NETWORK->  Print  Status  All 

The  current  design  end  verification  status  is: 

Waiting  for  pending  body  to  be  filled  in:  NETWORK 
Constants/Types:  MSG,  MSGINBUF,  MSGOUTBUF,  NUSERS,  SECJRITYARRAY, 
SECURITYCLASS,  USERID,  USERPORT,  USERPORTARRAY 

Suggest  fully  defining  NETWORK->  E^ 


T 


Exec->  Translate  NetSoc.Net 


process  Network(var  aUserPort:UserPortArrsy; 

Security:SecurityArray)  ■ 

begin 

block  all  j:userld, 

issubmerge(auserport(j).sysout.outlo, 

sllsecuremailfor(au8erport,J, security)); 

pending 

end; 

function  lsSubMerge(s:MsgSeq; 

a:MsgSeqArray) : Boolean  ■ 

begin 

exit  (assume  lsSubMergs(s,a) 

iff  (some  x:MsgSeq,  lsMorgs(x,ArrayToBag(a,l,Nusers)) 
and  s sub  x)); 

end; 

type  MsgSeq  ■ sequence  of  Msg; 

type  MsgSeqArray  ■ array  (Userid)  of  MsgSeq; 


i 

j 

! 


I 


I 


function  ArrayToBagta:  MsgSeqArray;  i,J:  Userid):  BagMsgSeq 
begin  end; 
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type  BagMtgSeq  ■ Bag  of  MsgSaq; 

fuiKtion  AIIS«curoMaiiror(A:UtorPortArrayi 
j:intagar; 

s:SocurityArray):  MtgSoqArray  ■ 

begin 

•xit  (atsuRM  all  l:Ucarid, 

AIIS«curaMailFor(a,j,s)(i) 

■ Sacur«Mail(s(i),s(j),Mail(a(i).tysin.in{rom,i,j))); 

end; 

function  SocuroMalKt  I ^2:SacurityClasst 

ms:MsgSoq):MsgSaq  ■ 

begin  end; 

function  Mail(mt:MsgSeq;i,j;Userld):MsgSeq  ■ 
begin  and; 

The  network  specification  uses  several  pre-de fined  constructs,  some  of  which 
require  explanation.  The  "infrom"  and  'outto'  histories  record  transactions  on 
buffers.  In  the  specification  of  Network,  auserport(j).sysout.outto  is  the 
sequence  of  all  messages  sent  out  to  buffer  auserport(j).sysout  by  the  network. 
The  in  from  history  refers  to  messages  received  by  the  network.  The  function 
"ismerge"  determines  if  there  exists  a merge  of  a bag  of  sequences  which  is 
equal  to  a given  sequence.  Functions  having  only  their  headers  defined  (e.g., 
SecureMail)  are  used  for  type-checking  purposes. 

No  syntax  errors  detected. 

No  semantic  errors  detected. 

Exec->  Print  Status  All 

The  current  design  and  verification  status  is: 

Waiting  for  pending  body  to  be  filled  in:  NETWORK 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE,  MAIL, 

SECUREMAIL 

Constants/Types:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGINBUF,  MSGOUTBUF, 

MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS,  USERID, 

USERPORT,  USERPORTARRAY 

Exoc*>  Suggest 


Suggest  fully  defining  NETWORK->  E^ 


Ex«c>>  Traiwlato  N«iWrk.rtot 


procMt  N«tworK(var  •Us«rPort:Uc«rPortArrayi 
S*curity:S«curityArr«y)  ■ 

iMgin 

block  all  Jtuaorid, 

ltsubmorgo(aucarport(j).cysout.outto, 

alltacuramailfor(ausarport,j,sacurjty)); 

cobogin 

Switchor(l,aUaorPori,Socurity) 

•ach  i t [I..NUtart]; 

•nd; 

•nd; 

procoaa  Swilchor(i:Usarld;  var  aports:UsarPortArray; 
Sacurity:SacurityArray)  ■ 

bogin 

•ntry  i in  (]..NUaart]; 
block  all  J:usorld, 

apoiia(J)jytou{.ouito  tub 

tocuromail  (taeur  ity  (i  ),tacurity  ( j ), 
inail(aportt(i).tytin.infrom,i,j)) 
and 

( J no  I •>  aportt(j).tysin.infrom  ■ MsgSaqO  ); 
ponding 
and; 

function  InfromIXArrayToBag  (a:MsgBufArray;  i,j:Usorld)  i 
BagMsgSaq  • bogin  and; 

function  Outtol\ArrayToBag  (a:MsgBufArray;  i,j:Usorld)  t 
BagMsgSaq  ■ bogin  and; 

typo  MsgBufArray  ■ array  (Usarld)  of  MsgOutBuf; 


No  ayntax  orrora  datacfad. 
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No  tomantk  orrore  dotoctod. 

The  pending  in  the  network  program  is  replaced  by  executable  code.  The 
switcher  processes  are  set  into  concurrent  execution  by  the  cobegin  statement. 
The  specifications  of  Switcher  are  given  for  use  in  the  proof  of  Network,  but 
the  implementation  of  the  actual  switching  algorithm  is  postponed. 

Ekoc->  Print  Status  All 

Th«  currant  design  and  verification  status  is: 

Waiting  for  VC  generation:  NETWORK 

Waiting  for  pending  body  to  be  filled  in:  SWITCHER 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 

INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Constants/Types:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGINBUF,  MSGOUTBUF, 

MSGBUFARRAY,  MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS, 

USERID,  USERPORT,  USERPORTARRAY 

As  reflected  in  this  status  summary,  the  top-level  network  program  is  ready  to 
be  veri  fied.  VCs  are  generated  and  then  proved. 

Exec->  Suggest 

Suggest  generating  VCs  lor  NETWORK-)  | 

Generating  VCs  for  PROCESS  NETWORK 
Found  1-ST  path 


S/D  traces  the  generation  of  the  single  PC  for  Network  below. 


Beginning  new  path... 
AUSERPORT’  t>  AUSERPORT 


Assume  Initial  Buffer  Histories  are  null 

alt  |al  t INTEGER  [1..I00],  AUSERPORT[|ai].SYSIN.INFROM  ■ MSGSEQO 
and  AUSERPORT[lal),SYSIN.OUTTO  « MSGSEQO 
and  AUSERPORT[lal].SYSOUT.INFROM  ■ MSGSEQO 
and  AUSERPORT[lal].SYSOUT.OUTTQ  « MSGSEQO 


Assume  (unit  entry  condition) 
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TRUE 

Entering  cobegin  . . . 

Atcume  local  buffer  Msforiet  only  changad  by  subprocesses 

all  las  t INTEGER  [ I ..  1 00],  AUSERPORTe  1 [la3].S YSIN.INFROM 

» C0\AUSERP0RT[le3].SYSIN.INFR0M 
S AUSERP0RTtl«3].SYSIN.INFR0M 
and  AUSERPORTe  1 [|e3].SYSIN.0UTT0 
- C0\AUSERP0RT[le3].SYSIN.0UTT0 
fi  AUSERP0RTtl»3]  SYSIN.OUTTO 
and  AUSERPORTe  1 [|e3].SYS0UT.INFR0M 

■ C0\AUSERP0RTtle3].SYS0UT.INFR0M 
« AUSERP0RT[|e3].SYS0UT.INFR0M 

and  AUSERPORTe  ltle3].SYS0UT.0UTT0 

■ C0\AUSERP0RT[le3].SYS0UT.0UTT0 
0 AUSERP0RTtle3].SYS0UT.0UTT0 

Assume  no  buffer  actions  of  subprocesses  lost 
all  Ie4  t INTEGER  [I..100], 

ISMERGE(C0\AUSERP0RTtle4].SYSIN.INFR0M, 

INFR0M\ARRAYT0BAG(AUSERP0RTeI[|e4].SYSIN.PAR,  I,  NUSERS)) 
and  ISMERGE(C0\AUSERP0RT[le4].SYSIN.0UTT0, 

OUTTO\ARRAYTOBAG(AUSERPORTeine4].SYSIN.PAR,  I,  NUSERS)) 

and  TRUE 

and  ISMERGE(CO\AUSERPORT[|e4].SYSOUT.INFROM, 

INFROM\ARRAYTOBAG(AUSERPORTel[|e4].SYSOUT.PAR,  1,  NUSERS)) 
and  ISMERGE(CO\AUSERPORT[le4].SYSOUT.OUTTO, 

0UTf0\ARRAYT0BAG(AUSERP0RTeltle4}.SYS0UT.PAR,  1,  NUSERS)) 

and  TRUE 

Assunte  system  blocKs. 


i Assunte  blockage  conditions  for  subprocesses. 

j 
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Blockage  attertion  it 

all  J t USERID,  ISSUBMERGE(AUSERPORT[J}.SYSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORT,  J,  SECURITY)) 


Mutt  verify  (procett  blockage)  condition 
Verification  condition  NETWORKal 

Hit  all  lol  t INTEGER  [1..100],  AUSERPORT[|ttl].SYSIN.INFROM  > MSGSEQO 

and  AUSERPORT[ltl].SYSIN.OUTTO  > MSGSEQO 
and  AUSERPORT[ltl].$YSOUT.INFROM  > MSGSEQO 
and  AUSERPORT[|al].SYSOUT.OUTTO  ■ MSGSEQO 

H2t  all  102  t [l.NUSERS], 
all  J t USERID, 

( lo2  ne  J 

->  AUSERP0RTo|[J].SYSIN.PAR[la2].iNFR0M  « MSGSEQO) 
and  AUSERPORTo  1 [J].SYS0UT.PARtl«2].0UTT0 
tub  SECUREMAIL(SECURITY[|t2],  SECURITY[J], 

MAIKAUSERPORTt  1 [|t2].SYSIN.PAR[la2].INFR0M, 
l«2,  J)) 

H3:  all  lo3  : INTEGER  [1  . 100], 

C0\AUSERP0RT[la3].SYSIN.INFR0M  « AUSERP0RT[la3].SYSIN.INFR0M 

■ AUSERPORTo  l[|a3].SYSIN.INFR0M 

and  CO\AUSERPORT[|o3].SYSIN.OUTTO  e AUSERP0RTllo3].SYSIN.0UTT0 
« AUSERPORTo  1[|o3].SYSIN.0UTT0 

and  CO\AUSERPORT[|o3].SYSOUT.INFROM  S AUSERPORT[lo3].SYSOUT.INFROM 
« AUSERPORTo lt|o3].SYS0UT.INFR0M 

and  CO\AUSERPORT[|o31.SYSOUT.OUTTO  « AUSERP0RT(lo3].SYS0UT.0UTT0 

■ AUSERPORTO  I [IO3J.SYS0UT.0UTT0 
H4t  all  |04  t INTEGER  [1  . 100], 

ISMERGE(CO\AUSERPORT[|o4].SYSIN.INFROM, 

INFROM\ARRAYTOBAG(AUSERPORTo1[|o4].SYSIN.PAR,  1,  NUSERS)) 
and  ISMERGE(CO\AUSERPORT[Io4].SYSIN.OUTTO, 

OUTTO\ARRAYTOBAG(AUSERPORTo1[|o4].SYSIN.PAR,  1,  NUSERS)) 
and  ISMERGE(CO\AUSERPORT[|o4].SYSOUT.INFROM, 

INFROM\ARRAYTOBAG(AUSERPORTo1[|o4].SYSOUT.PAR,  1,  NUSERS)) 
and  ISMERGE(C0\AUSERP0RT[lo4].SYS0UT.0UTT0, 

OUTTO\ARRAYTOBAG(AUSERPORTo1[|o4].SYSOUT.PAR,  1,  NUSERS)) 

— > 

Clt  all  J t USERID,  ISSUBMERGE(AUSERP0RTol[J].SYS0UT.0UTT0, 

ALLSECUREMAILFOR(AUSERPORTol,  J,  SECURITY)) 


End  of  path 
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SugcMt  proving  VC  called  NETWORKal->  Print  Slaltic  t 

NETWORK*  1 waiting  to  bo  provad. 

Suggoat  proving  VC  called  NETWORK*  !•>  f 
Entering  Prover  with  verification  condition  NETWORK*  I 
H 1 i all  le  1 I INTEGER  [ I ..  1 00],  AUSERP0RT[l*  1 ].SYSIN.INFR0M  > MSGSEQO 

and  AUSERP0RT[l*T].SYSIN.0UTT0  ■ MSGSEQO 
and  AUSERPORT[lal].SYSOUT.INFROM  ■ MSGSEQO 
and  AUSERPORTtl*ll.SYSOUT.OUTTO  « MSGSEQO 

H2t  all  1*2  t [1..NUSERS], 
all  J t USERID, 

( 1*2  n*  J 

->  AUSERP0RTel[J].SYSIN.PAR[|a2].INFR0M  > MSGSEQO) 
and  AUSERPORTa  I [J].SYS0UT.PAR[|a2}  OUTTO 
tub  SECUREMAIL(SECURITY[la2],  SECURITY[J], 

MAIL(AUSERPORT*  1 tl*2].SYSIN.PAR[l*21.INFROM, 
l•2,  J)) 

H3t  all  1*3  t INTEGER  [1  . 100], 

CO\AUSERPORT[|a3].SYSIN.INFROM  • AUSERPORT[la3].SYSIN.INFROM 

■ AUSERP0RT*1[I*3].SYSIN.INFR0M 

and  C0\AUSERP0RTtl«3].SYSIN.0UTT0  6 AUSERPORT[I*3].SYSIN.OUTTO 
« AUSERPORTa  1II*3].SYSIN.0UTT0 

and  CO\AUSERPORT[I»3J.SYSOUT.INFROM  e AUSERPORT[l*3).SYSOUT.INFROM 

■ AUSERPORTa!  tl*3].SYS0UT.INFR0M 

and  CO\AUSERPORT[l*3i  SYSOUT.OUTTO  6 AUSERP0RTtla3].SYS0UT.0UTT0 

■ AUSERPORTa  ltla3].SYSOUT.OU7TO 
H4:  all  1*4  : INTEGER  [1..I00], 

ISMERGE(CO\AUSERPORT[la4].SYSIN.INFROM, 

INFR0M\ARRAYT0BAG(AUSERP0RT*1[I*4].SYSIN.PAR,  1,  NUSERS)) 
and  ISMERGE(C0\AUSERP0RT[I*4].SYSIN.0UTT0, 

0UTT0\ARRAYT0BAG(AUSERP0RT*1[I*4].SYSIN.PAR,  1,  NUSERS)) 
and  ISMERGE(C0\AUSERP0RT[la4].SYS0UT.INFR0M, 

INFROM\ARRAYTOBAG(AUSERPORT*lll*4].SYSOUT.PAR,  1,  NUSERS)) 
and  ISMERGE(C0\AUSERP0RT[I*4].SYS0UT.0UTT0, 

0UTT0\ARRAYT0BAG(AUSERP0RTal[le4].SYS0UT.PAR,  1,  NUSERS)) 

— > 

Clt  all  J t USERID,  ISSUBMERGE(AUSERPORTal[J].SYSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORTal,  J,  SECURITY)) 


Only  key  parts  of  proofs  are  included.  All  properties  used  are  explicitly 
noted;  some  are  referred  to  in  interactive  dialogs. 
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Backup  point  ^ 

(.) 

Occasionally,  backup  points  and  theorem  labels,  such  as  o*"#  printed. 

Although  they  serve  a useful  purpose,  they  can  be  Ignored  here.  The  prover 
skolemizes  Networkel  to  eliminate  quantifiers,  gelding  the  following  theorem. 

Provor->  Print  Theeram 

HI.  AUSERPORT[|al|].SYSIN.INFROM  « MSGSEQO 
H2.  AUSERPORT[lal|].$Y$IN.OUTTO  > MSGSEQO 
H3.  AU$ERPORT[I«1|].SYSOUT.INFROM  > MSGSEQO 
H4.  AUSERPORT(l«l|].SYSQUT.OUTTO  « MSGSEQO 
H5.  I«2|  no  J|  ->  AUSERP0RT«1[J|].SYSIN.PAR[I«2|].INFR0M  > MSGSEQO 
H6.  AUSERPORT«ItJ|].SYSOUT.PAR[|a2|].OUTTO 
■ub  SECUREMAIL(SECURITY[|a2|],  SECURITY[Jt], 

MAIL(AUSERPORTal[|«2|].SYSIN.PAR[|a2t]  INFROM,  l«2t,  Jt)) 

H7.  CO\AUSERPORT[l«3|].SYSIN.INFROM  B AUSERPORTtl«3f].SYSIN.INFROM 

- AUSERPORTal[|a3|].SYSIN.INFROM 

H8.  CO\AUSERPORT(la3ll.SYSIN.OUTTO  6 AUSERPORTtl«3|].SYSIN.OUTTO 
■ AUSERPORT*l[|a3|].SYSIN.OUTTO 

H9.  CO\AUSERPORT[|a3f].SYSOUT.INFROM  6 AUSERPORT[l«3|].SYSOUT.INFROM 

- AUSERPORToI  [|a3|].SYSQUT.INFROM 

HIO.  CO\AUSERPORT(|a3ll.SYSOUT.OUTTO  6 AUSERPORT[l*3|].SYSOUT.OUTTO 
• AUSERPORTnIIIa3ll.SYSOUT.OUTTQ 
HI  1.  ISMERGE(CO\AUSERPORT[I«4|].SYSIN  INFROM, 

INFROM\ARRAYTOBAG(AUSERPORT«l[|a4|].SYSIN.PAR,  1,  NUSERS)) 

HI 2.  ISMERGE(CO\AUSERPORT[la4t].SYSIN.OUTTO, 

OUTTO\ARRAYTQBAG(AUSERPORT«l[|a4|].SYSIN.PAR,  1,  NUSERS)) 

HI 3.  ISMERGE(CO\AUSERPORT[l«4|].SYSOUT.INFROM, 

INFROM\ARRAYTQBAG(AUSERPORTal[|a4|].$YSOUT.PAR,  1,  NUSERS)) 

HI  4.  ISMERGE(CO\AUSERPORT[I«4|].SYSOUT.OUTTO, 

OUTTO\ARRAYTOBAG{AUSERPORTaltl«4|].SYSOUT.PAR,  I,  NUSERS)) 

IMP 

Cl . ISSUBMERGECAUSERPORTal  [J].SYSQUT.QUTTO, 

ALLSECUREMAILFORCAUSERPORTal,  J,  SECURITY)) 


The  user  directs  the  prover  to  delete  Irrelevant  hypotheses  H2,  HS,  H8,  H9, 
H12,  and  H13  and  several  equality  substitutions  are  performed,  resulting  In 
the  following  theorem. 
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HI.  1*21  M Jt  ->  AUSERPORT»l[J|].SYSIN.PAR[l»2|].INFROM  ■ MSGSEQO 
H2.  ISMERGE(AUSERPORTa|  [l>  1 |].SYSIN.INFROM, 

INFROM\ARRAYTOBAG(AUSERPORT«I[|aI|].SYSIN.PAR,  1,  NUSERS)) 
H3.  ISMERGE(AUSERPORT«  1 [l«  1 l].S YSOUT.OUTTO, 

OUTTO\ARRAYTOBAG(AUSERPORT«l[l«l|].SYSOUT.PAR,  I.  NUSERS)) 
H4.  AUSERPORTa  1 [ J|].SYSOUT.PAR[la2|].OUTTO 

tub  SECUREMAIL(SECURITY[l«2t],  SECURITY[Jt], 

MAIL(AUSERPORT«I[la2|].SYSIN.PAR[l«2|].INFROM,  l•2•,  Jt)) 
IMP 

C 1 . ISSUBMERGE(AUSERPORT«  1 [J].S YSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORT»i,  J,  SECURITY)) 


This  cannot  be  proved  without  expanding  the  definition  of  IsSubmtrge  and 
adding  a new  lemma.  T hese  two  steps  are  shown  below,  followed  by  a display 
of  the  transformed  theorem. 


Prov*r->  Expand  laSubmerw 

Backup  point 

(.  D PUT  . «S  . -S  . E .) 

Provor->  Print  Conclusion 

Cl.  ISMERGE(X|, 

ARRAVTOBAG(ALLS£CUREMAILFOR(AUSERPORral,  J.  SECURITY),  1, 
NUSERS)) 

C2.  AUSERPORT«l[J].$YSOUT.OUTTO  sub  X| 

Prover“>  Use  Lomtna 
Enter  lemma  . . . 

* all  A;  MsgButArrav.  all  B;  MsgSeoArrav.  all  X;  MseSeq. 

* lsMerge(X.Outtot\ArravToBag(A.l.Nusers» 

* and  (all  K;  Userid.  AfKi.OutIo  sub  BfKD 

* ->  some  Y:  MseSeo. 

* IsMereeCY.  ArravTeBagCB.l  .Nusers)) 

* and  X sub  Yt 

Lemma  added  ...  Its  name  is  LEMMAs] 

(.  D PUT  . -S  . -S  . E . U) 

Prover->  Print  Theorem 

HI.  A|[K].OUTTO  sub  Bt[K] 

and  ISMERGE(X|I,  OUTTO\ARRAYTOBAG(A|,  1,  NUSERS)) 

->  ISMERGE(Y,  ARRAYTOBAG(B|,  1,  NUSERS))  and  X|1  sub  Y 


Page  131 


Lemmatl  was  skolemized  and  added  as  a new  hypothesis,  leaving  the  rest  of 
the  theorem  unchanged.  The  prover  backchains  on  HI,  breaks  the  resulting 
theorem  into  two  subgoals,  then  tries  to  prove  the  first  subgoal  and  fails. 

Prov«r->  Print  Theorem 

HI . AUSERPORTal  IJ|].SYSOUT.PAR[l«2|].OUTTO 
aub  SECUREMAIL(SECURITY[I»2|],  SECURITY[J|], 

MAIL(AUSERP0RT«1[I«2|].SYSIN  PAR[I«2|].INFR0M,  (•21,  J|)) 

H2.  ISMERGE(AUSERPORT«  I [I*  I |].SYSOUT.OUTTO, 

OUTTO\ARRAYTOBAG(AUSERPORTa  1 [I*  1 |].SYSOUT.PAR,  1 , NUSERS)) 

H3.  ISMERGElAUSERPORTtl  [1*1  |].SYSIN.INFR0M, 

INFROM\ARRAYTOBAG(AUSERPORT«l[|al|].SYSIN.PAR,  1,  NUSERS)) 

H4.  1*21  n«  J|  •>  AUSERPORT«1[J|].SYSIN.PAR[|n2|].INFROM  > MSGSEQO 
IMP 

Cl.  At 

[KlAUSERPORTa  1 [ J].SYSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORT«1,  J,  SECURITY),  A|)] 

•OUTTO 

•ub  ALLSECUREMAILFOR(AUSERPORT«l,  J,  SECURITY) 

[KCAUSERPORTa  1 [JJ.SYSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORT«l,  J,  SECURITY),  AD] 

The  user  directs  the  prover  to  establish  an  intermediate  fact  for  use  in  the 
proof  of  Cl. 

Prov*r->  Claim 
Newgoal: 

* AUSERPORTa  1 fKISYSIN  PARlKI.INFROM  ■ AUSERPORTa  1 fKI  SYSIN.INFROMi 

After  the  user  adds  a lemma,  the  claim  is  established  and  then  added  as 
hypothesis  HI. 

Prov*r->  Use  Lemma 
Enter  lemma  . . . 

• all  A;  MaaBufArrav.  all  1;  Userid,  all  X;  MsgSeo. 
ai  (all  J;  Userid.  I ne  J ->  AfJI.InfromgMseSeaO) 

• and  laMereetX.  lntreml\ArrayToBae(A.l.NuserB)) 

* ■>  X ■ Afn.lnlromi 


J 
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Lamms  addad  . . . Hs  iwma  it  LEMMAs2 


Provar->  Print  Thaoram 

HI.  AUSERPORTaltK].SYSINPAR(K].INFROM  • AUSERPORTaJtKJSYSININFROM 
H2.  AUSERPORTs  1 [J|].SYS0UT.PAR[|t2|].0UTT0 
tub  $ECUREMAIL(SECURITY[lt2|],  SECURITY[J|], 

MAIL(AUSERPORTtl[|t2|].SYSIN.PARIIt2|].INFROM,  Is2|,  Jt)) 

H3.  ISMERGE(AUSERPORTt  1 [Is  1 |].S YSOUT.OUTTO, 

OUTTO\ARRAYTOBAG(AUSERPORTtI[|tHJ.SYSOUT.PAR,  I,  NUSERS)) 

H4.  ISMERGE<AUSERPORTs  1 [|s  1 |].S YSIN.INFROM, 

INFROM\ARRAYTOBAG(AUSERPORTsl[|t||].SYSIN.PAR,  1,  NUSERS)) 

H5.  Ia2|  na  J|  ->  AUSERPORTs  I [J|].SYSIN.PAR[|s2t].INFR0M  ■ MSGSEQO 
IMP 

Cl.  At 

[KlAUSERPORTs  1 [JJ.S  YSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORTsl,  J,  SECURITY),  A|)] 

OUTTO 

tub  ALLSECUREMAILFOR(AUSERPORTsl,  J,  SECURITY) 

[K(AUSERPORTs|  [JJ.SYSOUT.OUTTO, 

ALLSECUREMAiLFOR(AUSERPORTsl,  j,  SECURITY),  At)] 

The  remaining  sequence  of  events  is  (a)  the  specifications  of 
AllSecureMailFor  are  added,  (b)  the  prover  fails  to  prove  tfu  theorem,  (c)  the 
user  directs  the  prover  to  build  a chain  of  equalities,  and  (d)  the  prover  tries 
again  and  succeeds. 


NETWORKS  I provad  in  thaoram  prover. 


Suggatt  fully  dafining  SWITCHER->  Print  Status  All 


Tha  currant  datign  and  varification  ttatus  it: 

Waiting  for  panding  body  to  be  filled  in:  SWITCHER 
Provad:  NETWORK 

For  tpacificationt  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 
INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Conttantt/Typat:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGINBUF,  MSGOUTBUF, 

MSGBUFARRAY,  MSGSEQARRAY,  NUSERS,  8ECURITYARRAY,  SECURITYCLASS, 
USERID,  USERPORT,  USERPORTARRAY 
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< As  indicated  by  the  status  summary,  the  top-levei  network  program  is 
completely  proved  and  the  switcher  process  is  waiting  to  be  Implemented.  The 
user  has  SID  preview  the  potential  effects  of  severed  possible  changes  before 
proceeding. 

SuesMt  fully  defining  SWITCHER-)  Explain 


<-  Whal  are  the  effecU  of  filling  in  SwUcher’a  oandint  body? 
No  offocta. 


<-  WhvT 

Bocauao  tho  body  of  SWITCHER  it  currontly  undefined. 


<•  What  aro  the  offecit  of  changine  its  block  tpecificalionT 

No  offoett  on  SWITCHER.  The  verification  of  other  programs  it  not  affocted  H 
tho  formula 

Changed  block  tpecification 
— > 

Cl:  allJ  t USERID,  APORTS[J].SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J]. 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 
and  (J  ne  I ->  APORTS[J].SYSIN.INFROM  ■ MSGSEQO) 
it  true.  If  not,  the  change  invalidates  the  verification  of  NETWORK. 


<-  WhvT 

No  effects  on  SWITCHER  because  it  does  not  have  any  VCt.  Invalid  verification 
because  the  block  specification  of  SWITCHER  was  used  in  proving  NETWORKS  1. 


<-  What  are  the  effects  of  changinc  the  header  of  SecureMailT 

Possible  effects  of  changing  the  header  of  SECUREMAIL  are: 
Incorrect  semanlict:  ALLSECUREMAILFOR,  SWITCHER 
Invalid  verification:  NETWORK 
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procM*  Swltch«r(i:Us«rld;  var  aportatUtarPorlArray; 
S6curity:S«curityArray)  ■ 

b«tin 

•ntry  I in  (l..NUs«rt]; 
block  all  Jtuaorid, 

aportt(J).ayaout.outto  sub 

tacuramail  (security  (i  ),sacurity  ( j ), 

mail(aports(i).sysin.infrom,iJ)) 

and 

( J no  I •>  aports(j).sysin.infroin  > MsgSaqO  ); 
var  ms  t Msg  t-  MaKaMsg(i,i,MsgTaxt()); 

koap  (assume  source(ms)  ■ I); 
loop 

assert  all  Jxuserid, 

aports(j).sysout.outlo  sub 

securemail(security(i), security  (j), 

mail(aports(i).sysin.inlrom,i,j)) 

and 

( J ne  I ->  aports(j).sysin.infrom  ■ MsgSeqO  ); 

begin 

receive  ms  from  aports(i).Sysln; 
if  Secure(Security(i),Security(Deslinstion(ms))) 
then  send  ms  to  aports(Deslination(ms)).SysOut 
end; 
when 

is  ReceiveErrort  ; 
is  SendError:  ; 
end; 
end; 
end; 

function  SecureMaiKsI  ,s2:SecurityClass; 

ms:MsgSeq):MsgSeq  ■ 

begin 

exit  (assume  SecureMaiKsI, s2, ms)  ■ 

( if  Secure(sl,s2)  then  ms 
else  MsgSeqO  fi)); 

end; 

function  Mail(ms:MsgSeq;i,j:Userld):MsgSoq  * 
begin 

exit  (assume  Mail(ms,l,l)> 


I 
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( if  im  ■ MsgSaqO  then  MsgSeqO 
•Im  if  $ourc«(latl(ms))  ■ i and 
Dastinaiiondastims))  ■ J 
than  Matl(nonlast(ms),i,j)  B MsgSaqdasKms)) 
alta  Mail(nonlatt(m8),i,j)  fi 
fi  )); 

and; 

function  Sacura(Bl,s2:SacurityClass):boolaan  ■ pandingt 

function  Sourca(M:Msg):Usarld  ■ ponding; 
function  Dostination(M:Msg):Usarld  • ponding; 
function  MakaMtg(S,D  ; Usarld;  T ; MsgTaxt)  t Msg  ■ 
bagin 

antry  S in  [l..NUsart]  and  0 in  [l..NUsart]; 
ponding 
and; 

typo  MsgTaxt  ■ ponding; 


I No  syntax  errors  dotoctod. 

No  semantic  errors  datactad. 

TAe  message  switching  process  is  completely  Implemented  and  specified. 
Several  additional  specifications  are  also  entered  for  verification  and  type- 
h checking  purposes. 

' ! Exac->  Print  Status  Alt 

1! 

I I The  currant  design  and  verification  status  is: 

M Waiting  for  VC  generation:  SWITCHER 

f Waiting  for  pending  body  to  be  filled  in:  DESTINATION,  MAKEMSG,  SECURE, 

[ SOURCE 

I,  Proved:  NETWORK 

I For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 

t INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 

Constants/Typas:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSGOUTBUF, 

I MSGBUFARRAY,  MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS, 

I USERID,  USERPORT,  USERPORTARRAY 

it 


I Ex«c->  Sugtt! 

1^ 


] 


j 
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Suggatt  ganarating  VC«  for  SWITCHER-)  | 

Ganarating  VCa  for  PROCESS  SWITCHER 

Found  I -ST  path 

Found  2-ND  path 

Found  3-RD  path 

Notat  Loop  has  no  axit  patha 

Found  4-TH  path 

Found  5-TH  path 

Found  6-TH  path 

Found  7-TH  path 


The  trace  of  how  the  yCs  for  Switcher  are  generated  is  covered  in  the  next 
several  pages. 


Baginning  naw  path... 

APORTS’  :■  APORTS 

Atsuma  Initial  Buffar  Historios  ara  null 

all  lal  t INTEGER  [1..100],  APORTS[l«I].SYSIN.INFROM  > MSGSEQO 
and  APORTS[le!].SYSIN.OUTTO  * MSGSEQO 
and  AP0RTS[I«1].SYS0UT.INFR0M  - MSGSEQO 
and  APORTS[l«I].SYSOUTOUTTO  - MSGSEQO 


Astuma  (unit  antry  condition) 

I in  [1..NUSERS] 

Initializing  local  variablat 

Evaluating  MAKEMSGd,  I.  MSGTEXTO) 

(k>ntinuing  in  path... 

MS  MAKEMSGd,  I,  MSGTEXTO) 

Astuma  (KEEP  assartion) 

SOURCE(MS)  > I 

Entaring  loop... 

Evaluating  SECUREMAIL(SECURITY[I],  SECURITY[ Ja  1 ], 

MAIL(APORTS{l].SYSiN.INFROM,  I,  Ja])) 
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Continuing  in  path... 


Evaluating  MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal) 

Continuing  In  path... 

ASSERT  all  >I  t USERID,  APORTS[Jal].SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 
MAIL(APORTS[l].SYSIN.INFROM,  I, 

>1)) 

and  (Jal  no  I ->  APORTS[Ja  | ].SYSIN.INFROM  > MSGSEQO) 


Mutt  vorify  ASSERT  condition 
Vorification  condition  SWITCHERal 

H 1 1 all  la  1 t INTEGER  [ I ..  1 00],  AP0RTS[ia  I ].S YSIN.INFROM  ■ MSGSEQO 

and  APORTStlalJ.SYSIN.OUTTO  « MSGSEQO 
and  APORTS[lal].SYSOUT.INFROM  > MSGSEQO 
and  APORTS[lal].SYSOUT.OUTTO  • MSGSEQO 
H2t  I > SOURCE(MAKEMSG(l,  I,  MSGTEXTO)) 

H3: 1 in  [1..NUSERS] 

— > 

CIt  allJai  t USERID,  (I  no  Jal  ->  APORTS[J«  I ].S  YSIN.INFROM  ■ MSGSEQO) 
and  APORTSt  Ja  1 J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 


End  of  path 


Boginning  now  path... 
Continuing  in  LOOP  ... 


Attumo  (from  latt  attortion) 

all  >1  t USERID,  APORTS[Jal  J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[l],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 
and  (Jal  no  I ->  APORTS[Jal].SYSIN.INFROM  - MSGSEQO) 


Attumo  (KEEP  attortion) 
SOURCE(MS)  ■ I 


RECEIVE  MS  FROM  APORTS[l].SYSIN 
MS  FIRST(APORTS«l[l].SYSIN.BUFQ) 


Assum*  (KEEP  assartion) 
SOURCE(MS)  • I 


Atsuma  naw  buffar  history 

(all  l«2  : INTEGER  [1..100], 

AP0RTStl*2J.SYSIN.0UTT0  - AP0RTS«ltl«2].SYSIN.0UTT0 
and  APORTS[I»21.SYSOUT.INFROM  ■ APORTS«III«2].SYSOUT.INFROM 
and  AP0RTStl«2].SYS0UT.0UTT0  ■ APORTS*1[I"2].SYSOUT.OUTTO 
and  ( l■2  na  I 

->  APORTS[I«2].SYSIN.INFROM  > AP0RTS«I[I«2].SYSIN.INFR0M)) 
and  APORTS[l].SYSIN.INFROM  a MSGSEQ(FtRST(APORTS«l[l].SYSIN.BUFQ)) 
• APORTS«ltl].SYSIN.INFROM 

APORTS  :>  APORTS«l 

Evaluating  DESTINATION(MS) 

Continuing  in  path... 


Evaluating  SECURE(SECURITY[I],  SECURITY[DESTINATION(MS)]) 
Continuing  in  path... 


Assuma  (tF  tast  tuccaadad) 

SECURE(SECURITYtlJ,  SECURITY[dESTtNAtiON(MS)]) 

SEND  MS  TO  APORTS[OESTINATION(MS)].SYSOUT 


Assuma  naw  buffar  history 

all  l•4  t INTEGER  [1..I00],  APORTS«2[l«4].SYSIN.INFROM 

« AP0RTS[I«4].SYSIN.INFR0M 
and  APORTS«2[|a4].SYSIN.OUTTO 
e AP0RTS[la4].SYSIN.0UTT0 
and  AP0RTS«2[ls4].SYS0UT.INFR0M 
» AP0RTS[I«4].SYS0UT.INFR0M 
and  APORTSa2tl«4].SYSOUT.OUTTO 
* AP0RTStl«41.SYS0UT.0UTT0 


APORTS  t«  AP0RTS«2 

Assuma  (SEND  btocKad) 

FtJLL(APORTStDESTINATION(MS)].SYSOUT) 
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BlocKag*  aatartlon  It 

•II  J t USERID,  AP0RTS[J].SYS0UT.0UTT0 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 
and  (J  ne  I ->  AP0RTS[J].SYSIN.INFR0M  ■ MSGSEQO) 


Mutt  verify  (procctt  blockage)  condition 
Verification  condition  SWiTCHERa2 
Hit  all  1^2  1 INTEGER  [I.. 1 00],  AP0RTStH»2].SYSIN.0UTT0 

« AP0RTS«lll«2].SYSIN.0UTT0 
and  AP0RTSII*2].SYS0UT.INFR0M 
= AP0RTS»1[I«2].SYS0UT.INFR0M 
and  AP0RTS[I«2].SYS0UT.0UTT0 

- AP0RTStltl«2].SYS0UT.0UTT0 
and  ( I ne  l«2 

->  AP0RTStl*2].SYSIN.INFR0M 
= AP0RTSal[l«2].SYSIN.INFR0M) 

H2t  all  104  t INTEGER  [1..I00],  AP0RTSal[|a4].$YSIN.INFR0M 

- AP0RTS»2tla4].SYSIN.INFR0M 
and  AP0RTS*ltl*4].SYSIN.0UTT0 

« APORTS«2tl«4].SYSIN.OUTTO 
and  AP0RTS«1[I*4].SYS0UT.INFR0M 
« APORTS»2[la4].SYSOUT.INFROM 
and  AP0RTSal[la4].SYS0UT.0UTT0 

- APORTS*2[|a4].SYSOUT.OUTTO 

H3t  all  Jol  i USERID,  (I  ne  J«1  ->  AP0RTS[J«T  ].SYSIN.INFROM  - MSGSEQO) 
and  AP0RTS[J«  1 J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal  ], 

MAIL(APOPTStl].SYSIN.lNFROM,  I,  Jal)) 

H4:  APORTS[l].SYSIN.INFROM  fi  MSGSEQvFIRST(APORTStl[l].SYSIN.BUFQ)) 

■ APORTSal[l].SYSIN.INFROM 
HS:  I - SOURCE(FIRST(APORTStl[l].SYSIN.BUFQ)) 

H6:  I - SOURCE(MS) 

H7:  FULL(APORTSt2tDESTINATION(FIRST(APORTS«I[l].SYSIN.BUFO))].SYSOUT) 
H8t  SECURE(SECURITY[I], 

$ECURITY[DESTINATION(FIRST(APORTStl[l].SYSIN.BUFQ))]) 

— > 

Cit  all  J t USERID,  (I  ne  J ->  AP0RTS«2[J].SYSIN.INFR0M  • MSGSEQO) 
and  AP0RTS«2[J].SYS0UT.0UTT0 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(AP0RTS«2[I].SYSIN.INFR0M,  I,  J)) 


End  of  path 
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B«finninc  tMw  path... 

Continuing  in  LOOP  ... 

Attumo  (from  last  astortion) 

allJel  t USERID,  APORTS[Jal].SYSOUT.OUTTO 

tub  SECUREMAIKSECURITVni,  SECURITYfJtl], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l)) 
andOl  no  I >>  APORTS[Jol].SYSIN.INFROM  ■ MSGSEQO) 


Attumo  (KEEP  astortion) 

SOURCE(MS)  > I 

RECEIVE  MS  FROM  APORTS[l].SYSIN 
Attumo  now  buffor  history 

all  lo5  t INTEGER  [ 1 ..  1 00],  APORTSa  1 [|a5].SYSIN.INFR0M 

■=  AP0RTSfl«5].SYSIN.INFR0M 
and  AP0RTS«1[I«5].SYSIN.0UTT0 

• AP0RTS[I«5].SYSIN0UTT0 

and  AP0RTStl[|a5].SYS0UT.INFR0M 

• AP0RTS[I«5].SYS0UT.INFR0M 
and  APORTSo  I [loSJ-S  YSOUT.OUTTO 

• AP0RTS[lo5].SYS0UT.0UTT0 

APORTS  !•  APORTSo  1 

Attumo  (RECEIVE  blockod) 

EMPTY(APORTS[IJ.SYSIN) 

Blockago  astortion  it 

all  J : USERID,  AP0RTS[J].SYS0UT.0UTT0 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 
and  (J  no  I ->  APORTS[J].SYSIN.INFROM  ■ MSGSEQO) 


Mutt  vorify  (procott  blockago)  condition 
Vorification  condition  SWITCHERaS 
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Hit  all  las  t INTEGER  [I..IOO],  AP0RTS[I«5].SYSIN.INFR0M 

> AP0RTS«I[I«5].SYSIN.INFR0M 
and  AP0RTS[I«5].SYSIN.0UTT0 

- AP0RTS*!Ila5].SYSIN.0UTT0 
and  AP0RTS[I«5].SYS0UT.INFR0M 

« AP0RTS«I[la5].SYS0UT.INFR0M 
and  APORTStH'BJ.SYSOUT.OUTTO 

- AP0RTS«ltl«5].SYS0UT.0UTT0 

H2s  allJal  t USERID,  (I  ne  Jal  ->  AP0RTS[J»1].SYSIN.INFR0M  - MSGSEQO) 
and  APORTSt  J*  1 J.SYSOUT.OUTTO 

aub  SECUREMAIL(SECURITY[!],  SECURITY[Ja|], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Ja|)) 

H3:  EMPTY(APORT$e|[l].SYSIN) 

H4t  I > SOURCE(MS) 

— > 

Cl  t allJ  t USERID,  (I  ne  J ->  AP0RTS«1[J].SYSIN.INFR0M  > MSGSEQO) 
and  APORTS*  1 [ JJ.SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J1, 

MAiL(APORTS«l[l].SYSIN.INFROM,  I,  J)) 


End  of  path 


Beginning  new  path... 

Continuing  in  LOOP  ... 

Astumo  (from  last  assertion) 

all>l  t USERID,  AP0RTS[J«1].SYS0UT.0UTT0 

sub  SECUREMAIL(SECURITY[I],  SECURITY[Js|], 

MAIL(APORTSII].SYSIN.INFROM,  I,  J*l)) 
and  (Ja|  ne  I ->  APORTS[Jsl].SYSIN.INFROM  > MSGSEQO) 


Assume  (KEEP  assertion) 

SOURCE(MS)  - I 

RECEIVE  MS  FRQM  APORTS[l].SYSIN 
MS  t-  FIRST(APORTSa)[l].SYSIN.BUFQ) 


Assumo  (KEEP  assertion) 


SOURCE(MS)  - I 


Amukm  MW  buffer  history 

(all  102  t INTEGER  [1..100], 

AP0RTSIIO21.SYSIN.0UTT0  = APORTSolllo2].SYSIN.OUTTO 
and  APORTS[lo2].SYSOUT.INFROM  ■ AP0RTSaltl«21.SYS0UT.INFR0M 
and  AP0RTSIIo2J.SYS0UT.0irrT0  « AP0RTSol[l«2].SYS0UT.0UTT0 
and  ( lo2  M I 

->  APORTSIIo2].SYSIN.INFROM  « APORTSol[lo2].SYSIN.INFROM)) 
and  APORTS[l].SYSIN.INFROM  S MSGSEQ(FIRST(APORTSo  1 [l].S YSIN.BUFQ)) 
- APORTSaI[l].SYSIN.INFROM 

APORTS  i-  APORTSol 

Evaluating  DESTINATION(MS) 

Continuing  in  path... 

Evaluating  SECURE(SECURITY[I],  SECURITY[DESTINATION(MS)]) 

Continuing  in  path... 


Attumo  (IF  tost  tuccaodod) 

SECURE(SECURITY[I],  SECURITY[DESTINATI0N(MS)1) 

SEND  MS  TO  APORTS[OESTiNATION(MS)].SY$OUT 


Attumo  MW  buffer  history 

(all  las  : INTEGER  [1..I00], 

AP0RTS[lo3].SYSIN.INFR0M  ■ APORTSo2[|o3].SYSIN.INFROM 
and  APORTS[lo3J.SYSIN.OUTTO  * APORTSa2[la3].SYSIN.OUTTO 
and  AP0RTS[lo31.SYS0UT.INFR0M  - APORTSa2Ila3].SYSOUT.INFROM 
and  ( I03  M DESTINATION(MS) 

->  APORTSIlo3].SYSOUT.OUTTO  « APORTS«2tl«3].SYSOUT.OUTTO)) 
and  APORTS[DESTINATION(MS)].SYSOUT.OUTTO  B MSGSEQ(MS) 

■ AP0RTSo2[DESTINATI0N(MS)].SYS0UT.0UTT0 

APORTS  t-  AP0RTS02 

Entering  Mxt  iteration  of  loop... 

Evaluating  SECUREMAIL(SECURITY[I],  SECURtTY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 

Continuing  in  path... 

Evaluating  MAIL(APORTS[il.SYSIN.INFROM,  I,  Jal) 
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Continuing  in  path... 

ASSERT  all  >1  t USERID,  APORTS[JaI  J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 
MAIL(APORTS[l].SYSIN.INFROM,  I, 

J«l)) 

and  (Jal  na  I ->  APORTS[Jal].SYSIN.INFROM  > MSGSEQO) 


Mutt  vorify  ASSERT  condition 
Vorification  condition  SWITCHER«4 
Hit  all  102  t INTEGER  II..IOO],  AP0RTS[I«2].SYSIN.0UTT0 

- AP0RTS»1[I*2].SYSIN.0UTT0 
and  AP0RTS[la2].SYS0UT.INFR0M 
« AP0RTS«1[I«2].SYS0UT.INFR0M 
and  AP0RTStl«21.SYS0UT.0UTT0 
« AP0RTS«1[I«2].SYS0UT.0UTT0 
and  ( I ne  1*2 

->  AP0RTS[I«2].SYSIN.INFR0M 
•=  AP0RTS«1[I«2].SYSIN.INFR0M) 

H2t  all  1*3  t INTEGER  [1..I00], 

AP0RTS*ltl*31.SYSIN.INFR0M  « APORTSt2tl*3].SYSIN.INFROM 
and  AP0RTS*Itl*3].SYSIN.0UTT0  « APORTS*2[l*3].SYSIN.OUTTO 
and  AP0RTS«1(I*3].SYS0UT.INFR0M  • APORTS*2[l*3J.SYSOUT.INFROM 
and  ( 1*3  n*  DESTINATI0N(FIRST(AP0RTS«1[I1.SYSIN.BUFQ)) 

->  AP0RTS*1[I*3].SYS0UT.0UTT0  * APORTS«2(l*3].SYSOUT.OUTTO) 

H3:  allJol  t USERID,  (I  ne  J*1  ->  APORTS[J*  1 J.SYSIN.INFROM  ■ MSGSEQO) 
and  AP0RTSI>1].SYS0UT.0UTT0 

cub  SECUREMAIL(SECURITY[I],  SECURITY[J*1], 

MAIL(AP0RTS[I1.SYSIN.INFR0M,  I,  J*l)) 

H4:  APORTS[IJ.SYSIN.INFROM  e MSGSE0(FIRST(AP0RTS*1II].SYSIN.BUF0)) 

- APORTSaltH-SYSIN.INFROM 

H5t  APORTS*  I [DESTINATION(FIRST(APORTS»  1 [l].SYSIN.BUFO))].SYSOUT.OUTTO 
• MSGSEQ(FIRST(AP0RTS«1  [IJSYSINBUFQ)) 

- AP0RTS*2[DESTINATI0N{FIRST(AP0RTS*1  [l].SYSIN.BUFQ))l.SYSOUT.OUnO 
H6t  I ■ SOURCE(FIRST(APORTSaltll.S''SIN.BUFQ)) 

H7!  I ■ SOURCE(MS) 

H8:  SECURE(SECURITY[I], 

SECURITYlDESTINATION(FIRST(APORTS«  1 tl].SYSIN.BUFO))J) 

— > 

Clt  all  >1  t USERID,  (I  n*  J*1  ->  AP0RTS*2[J*I1.SYSIN.INFR0M  ■ MSGSEQO) 
and  AP0RTS«2IJ«  I ).SYSOUT.OUTTO 

tub  SECUREMAILtSECURlTYtl],  SECURITY(J*11, 
MAIL(AP0RTS«2[I].SYSIN.INFR0M,  I, 

J«l)) 
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End  of  path 


Boginning  now  path... 
Continuing  in  LOOP  ... 


Attuma  (from  laat  asaortion) 

all>l  t USERID,  APORTS[J«l].SYSOUT.OliTrO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J«1], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jot)) 
and  (Jol  no  I ->  APORTS[Jal].SYSIN.INFROM  - MSGSEQO) 


Attumo  (KEEP  aatortion) 
SOURCE(MS)  > I 


»: 


fj 


RECEIVE  MS  FROM  APORTS[l].SYSIN 
MS  t-  FIRST(APORTS«l[l].SYSIN.BUFQ) 


Attumo  (KEEP  attortion) 
SOURCE(MS)  ■ I 


Attumo  now  buffor  hittory 

(all  l•2  t INTEGER  [1..I00], 

APORTS[I*21.SYSIN  OUTTO  « AP0RTS«1[I«2].SYSIN  0UTT0 
and  AP0RTStl*2].SYS0UT.INFR0M  « AP0RTS«1[I«2].SYS0UT.INFR0M 
and  AP0RTS[la2].SYS0UT.0UTT0  ■ AP0RTSal[l«2].SYS0UT.0UTT0 
and  ( Ia2  no  I 

->  AP0RTSII«2].SYSIN.INFR0M  ■ AP0RTS«I[I«2].SYSIN.INFR0M)) 
and  APORTS[l].SYSIN.INFROM  ■ MSGSEQ(FIRST(APORTS>l[ll.SYStN.BUFQ)) 
« APORTSal[l].SYSIN.INFROM 

APORTS  :■  APORTSal 

Evaluating  DESTINATION(MS) 

Continuing  in  path... 


/’ 

/! 


Evaluating  SECURE(SECURITY[I],  SECURITY[OESTINATtON(MS)]) 
0>ntinuing  in  path... 
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A«sum«  (IF  (••(  tuccaadad) 

SECURE(SECURITY[I].  SECURITY[DESTINATION(MS)]) 

Evaluating  DESTINATION(MS) 

Continuing  in  path... 

SEND  MS  TO  APORTStDESTINATION{MS)l.SYSOUT 
Signalling  condition  SENDERROR 
Entaring  WHEN  paH... 

Entaring  naxt  itaration  of  loop... 

Evaluating  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  >1)) 

Continuing  in  path... 

Evaluating  MAIL(APORTS[l].SYSIN.INFROM,  I,  >1) 

Continuing  in  path... 

ASSERT  all  >1  t USERID,  AP0RTS[J«1].SYS0UT.0UTT0 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J«1], 
MAIL(APORTS[l].SYSIN.INFROM,  I, 

JM)) 

and  (Jal  na  I APORTS[J«  1 ].SYSIN.INFROM  ■ MSGSEQO) 


Must  varify  ASSERT  condition 
Varification  condition  SWITCHER«5 
Hit  all  1*2  t INTEGER  [1..100],  AP0RTS[I«2].SYSIN.0UTT0 

■ AP0RTS«ltl«2].SYSIN.0UTT0 
and  AP0RTS[I*2].SYS0UT.INFR0M 
= AP0RTS«1[I«21.SYS0UT.INFR0M 
and  AP0RTS[1«21.SYS0UT.0UTT0 
= AP0RTS«1II«2J.SYS0UT.0UTT0 
and  ( I ne  1*2 

->  AP0RTSll«2].SYSIN.INFR0M 
« AP0RTS«1(I*2].SYSIN.INFR0M) 

H2!  all  >1  t USERID,  (I  ne  Je|  ->  APORTS[Jal].SYSIN.INFROM  > MSGSEQO) 
and  APORTS[  Je  1 ].S  YSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[IJ,  SECURITYtJel], 

MAIL(APORTS[|].SYSIN.INFROM,  I,  J«l)) 

H3!  APORTS[l].SYStN.INFROM  S MSGSEQ(FIRST(AP0RTS«1[I].SYSIN.BUFQ)) 

- APORTS«l[l].SYSIN.INFROM 
H4t  I - SOURCE(FIRST(APORTS«l[l].SYStN.BUFQ)) 

H5:  I > SOURCE(MS) 

H6t  SECURE(SECURITY[I], 
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Astum*  (KEEP  Mtertion) 

SOURCE(MS)  ■ I 

RECEIVE  MS  PROM  APORT$[l].SYSIN 

MS  FIRST(APORTSal[l].SYSIN.BUFQ) 

Atcum*  (KEEP  assertion) 

SOURCE(MS)  > I 

Assumo  now  buffer  history 

(all  |o2  : INTEGER  [I..I00], 

AP0RTS(I*2].SYSIN.0UTT0  ■ AP0RTSal[|a2].SYSIN.0UTT0 
and  AP0RTS[I«2].SYS0UT.INFR0M  ■ AP0RTSaltla2].SYS0UT.INFR0M 
and  AP0RTS[I«2].SYS0UT.0UTT0  - AP0RTS«1II«2).SYS0UT.0UTT0 
and  ( |a2  no  I 

->  AP0RTS[I«2].SYSIN.INFR0M  • APORTS*I[I«2].SYSIN.INFROM)) 
and  APORTS[l].SYSIN.INFROM  ■ MSGSEQ(FIRST(APORTS«  1 [l].SYSIN.BUFQ)) 


- APORTSaItl].SYSIN.INFROM 


}.! 
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APORTS  t-  APORTSal 


Amuim  (IF  (••(  failed) 

(not  SECURE(SECURITY[I],  SECURITY[DESTlNATION(MS)])) 


Entering  next  Iteration  of  loop... 

Evaluating  SEC(iREMAIL(SECURITY[l],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 
Continuing  in  path... 


Evaluating  MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal) 

Continuing  In  path... 

ASSERT  all  >1  t USERID,  APORTS[Jal  J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 
MAIL(APORTS[l].SYSIN.INFROM,  I, 

Jal)) 

and  (Jal  ne  I ->  APORTStJal].SYSIN.INFROM  > MSGSEQO) 


Mutt  verify  ASSERT  condition 
Verification  condition  SWITCHERaS 
Hit  all  1*2  t INTEGER  [I ..100],  AP0RTS[|a2].SYSIN.0UTT0 

« AP0RTSaJ[|a2J.SySIN.0UTT0 
and  AP0RTS[|a2].$YS0UT.INFR0M 
« APORTSal [la2).SYS0UT.INFR0M 
and  AP0RTSlla2].SYS0UT.0UTT0 
- APORTSal [la2].SYS0UT.0UTT0 
and  ( I ne  Ia2 

->  AP0RTSIIa2].SYSIN.INFR0M 
e APORTSal tla2].SYSIN.INFR0M) 

H2t  all  >1  t USERID,  (I  ne  Jal  ->  APORTS[Jal].SYSIN.INFROM  > MSGSEQO) 
and  APORTSfJa  1 J.SYSOUT.OUTTO 

cub  SECUREMAIL(SECURITY[I],  SECURtTY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 

H3t  APORTStlJSYSININFROM  o MSGSEQ{FIRST(APORTSal[ll.SYSIN.BUFQ)) 

■ APORTSal  [IJ.SYSIN.INFROM 
H4t  I > SOURCE(FIRST(APORTSal[l].SYSIN.BUFQ)) 

H5:  I - SOURCE(MS) 

H6t  (not  SECURE(SECURITY[I], 

SECURITY[DESTINATION(FIRST(APORTSa  1 [IJ.SYSINBUFQ))])) 

•-> 

Clt  all  >1  i USERID,  (I  no  Jal  ->  APORTSal [Jal].SYSiN.INFROM  - MSGSEQO) 
and  APORTSal  [jal  J.SYSOUT.OUTTO 


Page  149 


tub  SECUREMAIL(SECURITY[I],  SECURITY[J«1], 
MAIL(AP0RTS«1{I].SYSIN.INFR0M,  I, 
J«l)) 


End  of  path 


Beginning  naw  path... 
Continuing  in  LOOP 


Attumo  (from  last  attartion) 

all  Jal  t USERID,  APORTS[Jal].SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J«I)) 
and  (>I  na  I ->  APORT$[Jal].SYSIN.INFROM  > MSGSEQO) 


Attuma  (KEEP  attartion) 
$OURCE(MS)  - I 

RECEIVE  MS  FROM  APORTS[l].SYSIN 


Attuma  naw  buffer  history 

(all  1*2  : INTEGER  [I..100], 

APORTStl*2J.SYSIN.OUTTO  « AP0RTS»ltl«2].SYSIN.0UTT0 
and  APORTStl»2J.SYSOUT.INFROM  - APORTS«1[I»2].SYSOUT.INFROM 
and  AP0RTStl«2].SYS0UT.0lfrT0  » AP0RTSal[|t2].SYS0UT.0irrT0 
and  ( l■2  na  I 

•>  AP0RTS[I«2].SYSIN.INFR0M  > APORTSal[|t2].SYSIN.INFROM)) 
and  APORTS[l].SYSIN.INFROM  • MSGSEQ(FIR$T(APORTS«l[l].SYSIN.BUFQ)) 
■ APORTS*1[IJ.SYSIN.INFROM 


Signalling  condition  RECEIVEERROR 
Entering  WHEN  part... 

Entering  naxt  iteration  of  loop... 

Evaluating  SECUREMAIL(SECURITY[I],  SECURITY[J«  I ], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 
Continuing  In  path... 
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|j  Evaluating  MAIL(APORTS[l].SYSIN.INFROM,  I,  Ja|) 

i Continuing  in  path... 

I ASSERT  all  >1  t USERID,  AP0RTS[J«1].$YS0UT.0UTT0 

•ub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I, 

J*l)) 

and  (Jal  no  I ->  APORTS[Jal].SYSIN.INFROM  ■ MSGSEQO) 



I Mutt  verify  ASSERT  condition 

[ VC  it  trivially  TRUE  j 

' I 

r , 

I End  of  path 


Suggest  proving  VC  called  SWITCHER*  l->  Print  Status  All 

The  current  design  and  verification  status  is: 

Waiting  for  pending  body  to  be  filled  in:  DESTINATION,  MAKEMSG,  SECURE, 

SOURCE 

Proved:  NETWORK 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 

INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Constants/TyP**:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSOOUTBUF, 

MSGBUF ARRAY,  MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS, 

USERID,  USERPORT,  USERPORTARRAY 

SWITCHER 

Waiting  to  be  proved:  SWITCHER*  1,  SWITCHER*2,  SWITCHER*3,  SWITCHER*#, 

SWITCHERaS,  SWITCHER*6 
Proved  in  VC  generator:  SWITCHER*? 

As  reflected  in  the  status  summary,  seven  VCs  were  generated  for  Switcher,  six 
of  which  are  unproved.  They  are  proved  in  sequence  below. 

Suggest  proving  VC  called  SWITCHER*  l->  t 
Entering  Prover  with  verification  condition  SWITCHER*! 

HI:  all  1*1  t INTEGER  [1..100],  APORTS[l«I].SYSIN.INFROM  > MSGSEQO 

and  APORTS[l*ll.SYSIN  OUTTO  = MSGSEQO 
and  APORTS[l*l  J.SYSOUT.INFROM  ■ MSGSEQO 
I and  APORTS[l*l].SYSOUT.OUTTO  ■ MSGSEQO 

I H2t  I > SOURCE(MAKEMSG(l,  I,  MSGTEXTO)) 

j H3t  I in  [I  . NUSERS] 
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— > 


CIt  all  J«1  i USERID,  (I  na  Jal  ->  AP0RTS[>1].SYSIN.INFR0M  ■ MSGSEQO) 
and  APORTS[  J*  1 J.S  YSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[JaI], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 


SWITCHERal  proved  In  thaoram  provar. 


This  proof  was  done  automatically  except  for  a few  interactive  equality 
substitutions. 


SucKost  proving  VC  callad  $WITCHER«2*>  { 

Enloring  Provar  with  varification  condition  SWITCHERa2 
HI:  all  1*2  t INTEGER  [I..100],  AP0RTS[I«2].SYSIN.0UTT0 

« AP0RTS«ltl«2].SYSIN.0UTT0 
and  AP0RTS[I»2].SYS0UT.INFR0M 
«=  AP0RTSal[l«2].SYS0UT.INFR0M 
and  AP0RTSII«2].SYS0UT.0UTT0 
« AP0RTS«l[la2].SYS0UT.0UTT0 
and  ( I no  Ia2 

»>  AP0RTS[I*2].SYSIN.INFR0M 
- APORTSal[l*2].SYSIN.INFROM) 

H2:  all  Ia4  t INTEGER  [I..100].  AP0RTSal[|a4].SYSIN.INFR0M 

e APORTS"2[|a4].SYSIN.INFROM 
and  AP0RTS«ltl*4].SYSIN.0UTT0 
«=  APORTS«2tl«4].SYSIN.OUTTO 
and  AP0RTS*ltla4].SYS0UT.INFR0M 
« APORTS«2[|a4].SYSOUT.INFROM 
and  AP0RTS«ltl"4].SYS0UT.0UTT0 
e APORTS«2na4].SYSOUT.OUTTO 

H3:  allJal  : USERID,  (I  no  Jo)  ->  APORTS[J«l].SYSIN.INFROM  > MSGSEQO) 
and  APORTSt  J«  1 ].S  YSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[Jal  ], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Ja))) 

H4!  APORTS[l].S YSIN.INFROM  s MSGSEQ(FIRST(APORTS«  1 [l].SYSIN.BUFQ)) 

> APORTSo  I n].S YSIN.INFROM 
H5t  I - SOURCE(FIRST(APORTS>l[l].SYSIN.BUFQ)) 

H6:  I > SOURCE(MS) 


!l 

‘i 
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H7 1 FULL(AP0RTS«2(DESTINATI0N(FIRST(AP0RTS«  1 [l].SYSIN.BUFQ))l.SYSOUT) 

HS:  SECURE(SECURITY[I], 

SECURITYlDESTINATION(FIRST{APORTS«  1 tl].SYSIN.BUFQ))l) 

“> 

CIs  allJ  t USERID,  (I  iw  J ->  AP0RTS«2[J].SYSIN.INFR0M  > MSGSEQO) 
and  APORTS«2tJ].SYSOUT.OUTTO 

•ub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS«2[l].SYSIN.INFROM,  I,  J)) 

The  proof  of  this  theorem  is  representative  of  many  of  the  other  proofs  and  is 
therefore  presented  in  its  entirety.  The  current  theorem  is  printed  frequently 
to  aid  in  following  the  manipulations. 

Backup  point 

(.) 

Provor->  Print  Thaoraw 
HI.  I 

in  tMAX(SOURCE(FIRST(APORTSaltl].SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(SOURCE(FIRST(APORTS«l[l].SYSIN.BUFQ)),  SOURCE(MS))l 
H2.  APORTStl»2|].SYSIN.OUTTO  = APORTS«ltla2ll.SYSIN.OUTTO 
H3.  APORTS[I»2|].SYSOUT.INFROM  > APORTS«l[li>2t].SYSOUT.INFROM 
H4.  APORTSII«2|].SYSOUT.OUTTO  - APORTSal[|«2|].SYSOUT.OUTTO 
H5.  I no  la2|  ->  APORTS[la2|].SYSIN.INFROM  > APORTS«l[l«2|].SYSIN.INFROM 
H6.  APORTS*  1 tl»4|].SYSIN.INFROM  - APORTS«2[l«4|],SYSIN.iNFROM 
H7.  APORTS*ltl«4|].SYSIN.OUTTO  <=  APORTSa2tla4|].SYSIN.OUTTO 
H8.  APORTS*1(I*4|].SYSOUT.INFROM  « APORTS«2tl«4|].SYSOUT.INFROM 
H9.  APORTS«Itl«4ll.SYSOUT.OUTTO  «=  APORTS«2tl«4|].SYSOUT.OUTTO 
HI  0.  I no  >11  ->  APORTS[>l|].SYSIN.INFROM  > MSGSEQO 
Hit.  APORTSI>  1 IIS  YSOUT.OUTTO 

cub  SECUREMAIL(SECURITY[I],  SECURITY[>1|], 

MAIL(APORTS[I].SYSIN.INFROM,  I,  >1|)) 

H 1 2.  APORTStll  SYSIN  INFROM  o MSGSEQ(FIRST(APORTS»  1 tlJ.SYSIN.BUFQ)) 

- APORTS«1[I].SYSIN.INFROM 
H13.  I ■ S0URCE(FIRST(AP0RTS«1[I].SYSIN.BUFQ)) 

HI 4.  I - SOURCE(MS) 

H 1 5.  FULL(AP0RTS«2(DESTINATI0N(FIRST(AP0RTS« I tl].SYSIN.BUFQ))l.SYSOUT) 

HI  6.  SECURE(SECURITY[I], 

SECURITY[DESTINATION(FIRST(APORTS«  1 [l].SYStN.BUFQ))]) 

IMP 

Cl.  I no  J ->  APORTS«2[J].SYSIN.INFROM  ■ MSGSEQO 
C2.  AP0RTS«2tJl.SYS0UT.0UTT0 
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tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(AP0RTS«2[I].SYSIN.INFR0M,  I,  J)) 

Prov*r->  DtltU  H2.H3.H7.H8 

Several  irrelevant  hypotheses  are  deleted. 

Prov»r->  tProcf  dint 
(.  D 1) 

B ickup  point 
{.  D I P->  .) 

Provor->  Print  Thoorom 


HI.  I no  J 
H2.  I 

In  tMAX(SOURCE(FIRST(APORTS*ltl].SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(SOURCE(FIRST(APORTS«  1 [l].SYSIN.BUFQ)),  SOURCE(MS))] 

H3.  APORTSlio2ll.SYSOUT.OUTTO  ' APORTS«l[l»2ll.SYSOUT.OUTTO 

H4.  I no  1021  ->  AP0RTSIIt2|].SYSIN.INFR0M  = AP0RTStltl*2|].SYSIN.INFR0M 

H5.  AP0RTSol[lo4fl.SYSIN.INFR0M  « APORTSt2[l*4|].SYSIN.INFROM 

H6.  AP0RTSoUlt4f],SYS0UT.0UTT0  « APORTS«2Ilt4|].SYSOUT.OUTTO 

H7.  I no  J«l|  ->  APORTS[Jall].SYSIN.INFROM  ^ MSGSEQO 

H8.  APORTSt  J*  1 |].S  YSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jtlt], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal|)) 

H9.  APORTS[I1.SYSIN.INFROM  » MSGSEQ(FIRST(AP0RTS«1[I].SYSIN.BUFQ)) 

- AP0RTS«1II].SYSIN,INFR0M 
HIO.  I ■ SOURCE(FIRST(APORTSt|[|].SYSIN.BUFQ)) 

Hll.  I ■ SOURCE(MS) 

HI 2.  FULL(APORTSo2lDESTINATION(FIRST(APORTS«lll].SYSIN.BUFQ))l.SYSOUT) 
HI  3.  SECURE(SECURITY[I], 

SECURITY[DESTINATION(FIRST(APORTS«  1 tH.SYSIN.BUFQ))]) 

IMP 

Cl.  APORTSo2[J].SYSIN.INFROM  > MSGSEQO 


L 

! 


The  prover  split  the  theorem  into  two  subgoals  and  promoted  the  hypothesis  of 
Cl  to  hypothesis  HI  of  the  theorem.  Hypotheses  not  relevant  to  this  subgoal 
are  deleted,  retaining  only  four. 

Provor->  Rottin  HI.H4.H5.H7 


i 


i 


Provor->  Print  Thoorom 


Page  IM 


[ 

1 


i 


HI. I rm  J 

H2.  I M l•2|  ->  AP0RTS[l*2fJ.SYSIN,INFR0M  « AP0RTS«1[I«2|J.SYSIN.INFR0M 
H3.  AP0RTS«l[l«4t]  SYSIN.INFR0M  > APORTS«2[l«4t].SYSIN.INFROM 
H4. 1 rw  >11  ->  APORTS[>1|].SYSIN.INFROM  > MSGSEQO 
IMP 

Cl.  APORTS«2[J].SYSIN.INFROM  ■ MSGSEQO 


The  proof  of  this  theorem  requires  establishing  a chain  of  equalities  involving 
HB,  Cl,  and  the  conclusions  of  H2  and  H4. 


Prov*r“>  Eq  Chain 
New  subfoal 
Backup  point 
(.  D 1 P->  . D -CHAIN  .) 


Provor->  Print  Conclusion 


Cl.  I no  J 
C2. 1 no  J 


Cl  and  C2  are  hypotheses  from  H2  and  H4  that  must  be  proved  for  the  chain 
to  be  valid. 


Provor->  Simplify  Thoorom 
Prnvor“>  Print  Conclucion 
Cl.  TRUE 


This  completes  the  proof  of  subgoal  Cl.  The  prover  tries  and  fails  to  prove 
C2,  which  cannot  be  proved  without  an  additional  lemma. 

Provor->  iProcoodint 
(.  D2) 

Ran  out  of  tricks 


Provor->  Print  Thoorom 
HI.  I 

in  [MAX(SOURCE(FIRST{APORTSsl[l].SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(SOURCE(FIRST(APORTSal[|].SYSIN.BUFQ)),  SOURCE(MS))] 

H2.  APORTStl«2|].SYSOUT.OUTTO  - APORTS«ltl«2|].SYSOUT.OUTTO 

H3. 1 no  |o2t  ->  APORTS[I«2|].SYSIN.INFROM  « APORTS«l[l«2|].SYSIN.INFROM 


i 


H4.  AP0RTS«l[l*4f].SYSIN.INFR0M  « APORTS«2tl"4l]  SYSIN.INFROM 
H5.  APORTS«ltl*4|].SYSOUT.OUTTO  = APORTS«2[l«4|].SYSOUT.OUTTO 
H6.  t n*  J«l|  ->  APORTS[J«l|].SYSIN.iNFROM  ■ MSGSEQO 
H7.  APORTSIJ«H].SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J«It], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l|)) 

H8.  APORTStl].SYSIN.INFROM  S MSGSEQ(FIRST(APORTS«1II1.SYSIN.BUFO)) 

= APORTS^ltlJ.SYSIN.INFROM 
H9.  I - SOURCE(FIRST(APORTS«l[l].SYSIN.BUFQ)) 

HIO.  I - SOURCE(MS) 

HI  I . FULL(APORTS«2tDESTINATION(FIRST(APORTS"l  tl].SYSIN.BUFQ))].SYSOUT) 
HI 2.  SECURE(SECURITY[I], 

SECURITY[DESTINATION(F»RST(APORTS«  1 [IJ.SYSIN.BUFQWJ) 

IMP 

C 1 . APORTS«2IJl.SYSOUT.OUTTO 

cub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS«2[l].SYSIN.INFROM,  I,  J)) 


Prov*r”>  Use  Lemma 
Enter  lemma  . . . 

* all  A.B;  MseSeq.  all  C;Msg.  all  K.L;  Userid,  all  S1.S2;  SecuritvCIass. 

* A cub  SeeureMail(SI.S2.Mail(B.K.L)) 

* ->  A cub  SecureMaH(Sl.S2.Mail(BpMsg$eQ(C).K.L))! 

Lemma  added  ...  Its  name  is  LEMMAc3 

(.  D 2 U) 


Prover->  Print  Theorem 

HI.  At  sub  SECUREMAIKSII,  S2|,  MAIL(B|,  Kf,  L|)) 

->  At  sub  SECUREMAIKSil.  S2|,  MAIL(B(oMSGSEQ(Ct),  Kf,  L|)) 

H2.  I 

in  [MAX(SOURCE(FIRST(APORTS«l[l].SYSIN.BUF0)),  SOURCE(MS)) 
.,MIN(SOURCE(FIRST(APORTSa  1 II].SYSIN.BUFO)),  SOURCE(MS))] 

H3.  APORTS[l*2|].SYSOUT.OUTTO  « APORTS«I[la2|].SYSOUT.OUTTO 

H4.  I ne  Ia2|  ->  APORTS[la2|].SYSIN.INFROM  ^ APORTS«l[l«2|].$YSIN.INFROM 

H5.  APORTS*III*4|].SYSIN.INFROM  « APORTS«2tla4|].SYSIN.INFROM 

H6.  APORTS»Itl*4|].SYSOUT.OUTTO  « APORTS«2[la4|].SYSOUT.OUTTO 

H7.  I ne  Jell  ->  APORTS[Jal|].SYSIN.INFROM  - MSGSEQO 

H8.  APORTSlJellJ.SYSOUT.OUTTO 

sub  SECUREMAIKSECURITYfl],  SECURITY[JaU], 

MA!L(APORTS[l].SYSIN.INFROM,  I,  Jsl|)) 

H9.  APORTStlJ-SYSIN.INFROM  B MSGSEQ(FIRST(APORTS«ltl)SYSIN.BUF0)) 

- APORTS«l[l].SYSIN.INFROM 
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HIO.  I > SOURCE(FIRST(APORTSai[ll.SYSIN.BUFQ)) 

Hll.  I - SOURCE(MS) 

H 1 2.  FULL(APORTS»2(DESTINATION(FIRST(APORTS»  1 II].SYSIN.BUFQ))).SYSOllT) 
HIS.  SECURE(SECURITY[t], 

SECURITYtDESTINATION(FIRST(APORTS«  1 [I1.SYSIN.BUFQ)))) 

IMP 

C 1 . APORTS«2[J].S  YSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS»2[ll.SYSIN.INFROM,  I,  J)) 


LemmatS  has  been  added  to  the  theorem  as  hypothesis  HI.  Two  equxUity 
chains  are  needed  to  complete  the  proof. 


Prov«r->  Eg  Chain 
N«w  tubgotl 
Backup  point 
(.  D 2 U . -CHAIN  .) 


Prov*r->  Print  Concluaion 

C i . APORTSa2[J].SYSOUT.OUTTO 

tub  SECUREMAiL(SECURiTY[i],  SECURITY[J], 

MAIL(APORTS[l].SYSiN.iNFROM,  I,  J)) 

Prov«r->  Rotain  H3.H6.H8 

Provor->  Print  Theoram 


HI.  APORTStl*2|].SYSOUT.OUTTO  ■ APORTSaItit2|].SYSOUT.OUTTO 
H2.  APORTS»I(la4f].SYSOUT.OUTTO  - APORTSa2(la4|].SYSOUT.OUTTO 
H3.  APORTS[  Ja  I IJ.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[i],  SECURiTYlJall], 

MAIL(APORTS[i].SYSIN.INFROM,  I,  Jal|)) 


IMP 

C 1 . APORTSt2[J].SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 


Provor->  Eg  Chain 
Now  aubgoal 
Backup  point 

(.  D 2 U . -CHAIN  . D -CHAIN  .) 
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Prov»r“>  Print  Conclusion 
Cl.  TRUE 

Prov*r->  tProceedInt 

SWtTCHERe2  proved  In  theorem  prover. 

SusKOst  provinc  VC  called  $WITCHERa3->  t 
Entering  Prover  with  verification  condition  SWITCHERaS 
HI:  all  105  : INTEGER  [I..IOO],  AP0RTS[I«5].SYSIN.INFR0M 

- AP0RTS«III«51.SYSIN.INFR0M 
and  AP0RTS[I«5].SYSIN.0UTT0 

- AP0RTS«1(I«5].SYSIN.0UTT0 
and  AP0RTStl«5].SYS0UT.INFR0M 

« AP0RTS«1[I«5].SYS0UT.INFR0M 
and  AP0RTStl«5J.SYS0UT.0UTT0 
e AP0RTS*ltl«5].SYS0UT.0UTT0 

H2t  all  Ja|  t USERID,  (I  ne  Jal  ->  AP0RTS[>1].SYSIN.INFR0M  > MSGSEQO) 
and  AP0RTS[J«11.SYS0UT.0UTT0 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J«1], 

MAIL(APORTS[I].SYSIN.INFROM,  I,  Jel)) 

H3:  EMPTY(APORT$oI[l].SYSIN) 

H4:  I > SOURCE(MS) 

“> 

Cl : allJ  t USERID,  (I  ne  J ->  APORTS«l  [J}.SYSIN  INFROM  - MSGSEQO) 
and  APORTS«IIJ].SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[(],  SECURITY[J], 

MAIL(AP0RTS«1[I].SYSIN.INFR0M,  I,  J)) 

The  proof  of  this  VC  is  entirely  automatic,  with  the  user  initiating  two 
equality  chains. 


SWITCHERoS  proved  in  theorem  prover. 

Suggest  proving  VC  called  SWITCHER«4->  | 

Entering  Prover  with  verification  condition  SWITCHERC4 
H I : all  1*2  t INTEGER  ( I ..  1 00],  AP0RTSII«2].S YSIN.OUTTO 

« AP0RTS«ltl«2].S YSIN.OUTTO 


h. ^ 


r 1 

{ 
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; and  AP0RTS[I«2].SYS0UT.INFR0M  | 

« AP0RTS«I[I«2].SYS0UT.INFR0M  I 

and  AP0RTS[H»2].SYS0UT.0UTT0 
« APORTSal[la2].SYSOUT.OUTTO 
and  ( I ne  1*2 

->  AP0RTS[I«2].SYSIN.INFR0M 

; « AP0RTS«l(la2],SYSIN.INFR0M) 

H2t  all  1*3  t INTEGER  [1  . 100], 

AP0RTS«1[I«3].SYSIN.INFR0M  « APORTS«2[la3].SYSIN.INFROM 
and  AP0RTS»III*3].SYSIN.0UTT0  « APORTS«2[l«3].SYSIN.OUTTO 
and  AP0RTSaIIIa3].SYS0UT.INFR0M  « APORTS«2[la31.SYSOUT.INFROM 
and  ( 1*3  n«  DESTINATION(FtRST(APORTS«l[l].SYSIN.BUFQ)) 

->  APORTS*III»3].SYSOUT.OUTTO  « APORTS«2[Hi3].SYSOUT.OUTTO) 

[ H3:  all  >1  i USERID,  (I  ne  Ja]  ->  AP0RTS[Ja|}.SYSIN.INFR0M  > MSGSEQO) 

I and  AP0RTS[J«1].SYS0UT.0UTT0 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J*I1, 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 

H4s  APORTS[I].SYSIN.INFROM  at  MSGSEQ(FIRST(AP0RTS«1[I1.SYSIN.BUFQ))  i 

• APORTS*  1 [ll.SYSIN.INFROM 

H5:  APORTS»ltDESTINATION(FIRST(APORTSaltl].SYSIN.BUFQ))l.SYSOUT.OUTTO 

a MSGSEQ(FIRST(APORTS«l[l].SYSIN.BUFQ)) 

■ AP0RTS«2tDESTINATI0N(FIRST(AP0RTS«  1 [l].SYSIN.BUFQ))].SYSOUT.OUTTO 
H6:  I - SOURCE(FIRST(APORTS«l(l].SYSIN.BUFQ)) 

H7t  I - SOURCE(MS) 

H8:  SECURE(SECURITY[I],  ^ 

SECURITYIDESTINATION(FIRST(APORTS«  1 [l].SYSIN.BUFQ))]) 

— > 

Cl:  allJal  t USERID,  (I  ne  Jal  ->  AP0RTSa2[Jal].SYSIN.INFR0M  ■ MSGSEQO) 
and  APORTSa2[  Ja  I ],SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

MAIL(AP0RTSa2[l].SYSIN.INFR0M,  I, 

Jal)) 


The  first  subgoal  was  proved  with  a promotion  and  an  equality  chain.  The 
proof  of  the  second  requires  a cases  argument,  as  shown  below. 


Prover->  Print  Theorem 


r ^ 
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HI.  I 

in  [MAX(S0URCE(FIRST(AP0RTS»1[I].SYSIN.BUFQ)),  SOURCE(MS)) 

..MIN(SOURCE(FIRST(APORTS«I  [l].SYSIN.BUFQ)),  SOURCE(MS))] 

H2.  APORTStl«2|aIJ.SYSIN.OUTTO  ■ APORTS«l(l«2|«l].SYSIN.OUTTO 
H3.  APORTS[la2taI].SYSOUT.INFROM  - APORTS«l[l«2|«l].SYSOUT.INFROM 
H4.  APORTS[la2|a|].SYSOUT.OUTTO  * APORTSai[l«2|«l].SYSOUT.OUTTO 
H5.  I n«  l«2|al 

\ ->  APORTStl«2|al  J.SYSIN.INFROM  - APORTS«l  J.SYSIN.INFROM 

H6.  APORTSal[|a3|].SYSIN.INFROM  > APORTSii2[l«3|].SYSIN.INFROM 
^ H7 . APORTSa  1 [la3|].SYSIN.OUTTO  > APORTS«2[|ii3|].S YSIN.OUTTO 

H8.  APORTSal[la3|].SYSOUT.INFROM  - APORTS«2[la3|].SYSOUT.INFROM 
H9.  DESTINATION(FIRST(APORTS«l[l].SYSIN.BUFQ))  ne  1*31 

->  APORTSaItla3|].SYSOUT.OUTTO  « APORTS«2II»3|].SYSOUT.OUTTO 
H 1 0. 1 n«  > 1 1«2  ->  APORT$[ J«  1 |«2].S YSIN.INFROM  > MSGSEQO 
HII.  AP0RTSIJalf«2].SYS0UT.0UTT0 

■ub  SECUREMAIL(SECURITY[I],  SECURITY[J«  1 1•2], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J«  1 |ii2)) 

HI  2.  APORTS[I].SYSIN.INFROM  « MSGSEQ(FIRST(APORTS«I[l].SYSIN.BUFQ)) 

- APORTSal[|].SYSIN.INFROM 

HI  3.  APORTSai  [DESTINATION(FIRST(APORTS«I  [l].SYSIN.BUFQ))].$YSOUT 
[ OUTTO 

• MSGSEQ(FIRST(APORTSa  1 [l].SYSIN.BUFQ)) 

I ■ AP0RTSa2[DESTINATI0N(FIRST(AP0RTSa  1 tl].SYSIN.BUFO))].SYSOUT.OUnO 

H 1 4.  I > SOURCE(FIRST(APORTSa  I [l].S YSIN.BUFQ)) 

HIS.  I > SOURCE(MS) 

HI 6.  SECURE(SECURITY[I], 

SECURITY[DESTINATION(FIRST(APORTSa  1 [IJ.SYSIN.BUFQ))]) 

[ IMP 

Cl.  AP0RTSa2lJa  1 J.SYSOUT.OUTTO 
i tub  SECUREMAIL(SECURITY[I],  SECURITY[Jal], 

; MAIL(AP0RTSa2[l].SYSIN.INFR0M,  I,  Ja  1 )) 

Prov«r->  Case« 

CASE: 

* Jaj  . DESTINATION(FIRST(APORTSalfn.SYSIN  BUFQ)lt 
CASE: 

• i DONE 
Attempting  CASE  I 

I The  remaining  "not  equal"  case  is  generated  by  the  prover.  After  deleting  some 

irrelevant  hypotheses  and  doing  several  equality  substitutions,  tee  come  to  the 
key  part  of  the  proof. 


J 
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Prov*r->  Print  Theorem 


Hi.  APORTSal[Jal].SYSOUT.OUTTO  • MSG$EQ(FIR$T(APORTS«ltl]SVSIN.BUFO}) 
- APORTSa2[Jnl].SYSOUT.OUTTO 
H2.  APORTSt>Il.SY80UT.OUTTO  - APORTSaltJ«i].SYSOUT.OUTTO 
H3.  >1  - DESTINATION(FIRST(APORTS*l[l].SYSIN.BUFQ)) 

H4.  I - SOURCE(FIRST(APORTS«l[l].SYSIN.BUFQ)) 

H5.  I - SOURCE(MS) 

H6.  SECURE(SECURITY[I],  SECURITY[J«1]) 

H7. 1 n*  >1  •>  APORTS«l[ll.SYSOUT.OUTTO  • APORTSa2[ll.SYSOUT.OUnO 
H8.  APORTS(Jall.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY(I],  SECURITY[Jal], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l}) 


IMP 
Cl. 

f 

I 


APORTSa2(  Jt  i J.SYSOUT.OUTTO 
tub  SECUREMAIL(SECURITY[I],  SECURITY[Jti], 

MAIL(  APORTS[I].SYSIN.INFROM 

• MSGSEQ(FIRST(APORTSal[l].SYSIN.BUFQ)),  I,  Jtl)) 


;i  The  proof  of  this  theorem  requires  the  definitions  of  SecureMaU  and  Mail. 

'i 


Prov«r“>  Expand  StcurtMtil 
More  than  one  to  expand. 

Which  do  you  want  to  expand?  ^ 

Backup  point 

(.  2 . CASEl  . D PUT  . -S  . E *.) 

Prover->  Print  Theorem 
HI.  I 

in  [MAX(S0URCE(FIRST(AP0RTS«1[I].SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(S0URCE(FIRST(AP0RTS«1  [l].SYSIN.BUFQ)),  SOURCE(MS))] 

H2.  APORTS[Jell.SYSOUT.OUTTO 

tub  if  SECURE(SECURITY[I],  SECURtTY[Jai]) 

then  MAIL(APORTS[l].SYSIN.INFROM,  I,  J«I)  else  MSGSEQO  fi 
H3.  I ne  >1  ->  APORTS*ltl].SYSOUT.OUTTO  « AP0RTS«2[I1.SYS0UT.0UTT0 
; I H4.  SECURE(SECURITY[I],  SECURITY[Jt  1 ]) 

I H5. 1 - SOURCE(MS) 

H6.  I - SOURCE(FIRST(APORTS»I[l].SYSIN.BUFQ)) 

H7 . Je  1 > DESTINATION(FIRST(APORTSa  1 [l].SYSIN.BUFQ)) 

H8.  APORTSCJal  J.SYSOUT.OUTTO  • APORTSallJtl  J.SYS0UT.0UTT0 
H9.  APORTSeltJe I J.SYSOUT.OUTTO  S MSGSEQ(FIRST(APORTSel[l].SY$IN.BUFQ)) 
■ APORT$e2[jel].SYSOUT.OUTTO 


1 


r 


,k 
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C I . AP0RTS«2[  J«  1 ISYSOUT.OUTTO 

•ub  if  SECURE(SECURITY[I},  SECURITY[Jal]) 
then  MAILt  APORTS[l].SYSIN.INFROM 

B MSGSEQ(FIRST(AP0RTS«1[I].$YSIN.BUFQ)),  I,  >1) 

•Is*  MSGSEQO  fi 

Prov«r->  Expand  Mill 
Mor*  than  on*  to  expand. 

Which  do  you  want  to  expand?  Show 

1.  MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l) 

2.  MAIL(APORTS[l].SYSIN.INFROM  a MSGSEQ(FIRST(AP0RTS«1[I].SYSIN.BUFQ)),  I, 

Jel) 

Which  do  you  want  to  expand?  2 
Backup  point 

(.  2 . CASEl  . D PUT  . >S  . E . E .) 

Prover->  Print  Theorem 

HI.  APORTS*ltJ«l].SYSOUT.OUTTO  6 MSGSEQ(FIRST(APORTS«ltll.SYSIN.BUFQ)) 
■ AP0RTS*2I  J«  1 1.SYS0UT.0UTT0 
H2.  APORTS[J*l  J.SYSOUT.OUTTO  « APORTS*ltJ*l].SYSOUT.OUTTO 
H3.  Jel  • DESTINATI0N(FIRST(AP0RTS«1[I].SYSIN.BUFQ)) 

H4.  I - SOURCE(FIRST(APORTSeIIIl.SYSIN.BUFQ)) 

H5.  I - SOURCE(MS) 

H6.  SECURE(SECURITY[I],  SECURITY[J«1]) 

H7.  I ne  >1  ->  APORTS*  1 [l].SYSOUT.OUTTO  - AP0RTS«2[I].SYS0UT.0UTT0 
H«.  APORTStJei  ISYSOUT.OUTTO 

cub  if  SECURE(SECURITY[I],  SECURiTY[J«I]) 

then  MAIL(APORTS[l].SYStN.INFROM,  I,  Jsl)  else  MSGSEQO  ti 

H9.  I 

in  [MAX(SOURCE(FIRST(APORTS«l(l].SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(SOURCE(FIRST(APORTS«  1 [I].SYSIN.BUFQ)),  SOURCE(MS))] 

IMP 

Cl.  APORTSe2(Jel  J.SYSOUT.OUTTO 

•ub  If  SECURE(SECURITY[I],  SECURITY[Jel]) 
then  If  APORTS[l].SYSIN.INFROM 

a MSGSEQ(FIRST(APORTSaI  [|].SYSIN.BUFQ)) 

> MSGSEQO  then  MSGSEQO 
else  If  Jel 

> DESTINATION(FIRST(APORTSel [l].SYSIN.BUFQ)) 
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■nd  I ■ S0URCE(FIRST(AP0RTS«1[I].SYSIN  BUFQ)) 
then  MAIL(APORTS[l].SYSIN.INFROM,  I,  > 1 ) 

« MSGSEQ(FIRST(APORTS«  1 [t].SYSIN.BUFQ)) 
•Is*  MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l)  fi  fi 
•Im  MSGSEQO  fi 

Prov*r-> 


Provar“>  Print  Theoram 


HI.  I 

in  [MAX(SOURCE(FIRST(APORTS«l[l]  SYSIN.BUFQ)),  SOURCE(MS)) 
..MIN(SOURCE(FIRST(APORTS«l[l].SYSlN.BUFQ)),  SOURCE(MS))] 

H2.  if  SECURE(SECURITY[I],  SECURITY[J*1]) 
then  APORTSt  J«  1 J.SYSOUT.OUTTO 

sub  MAIL(APORTS[l].SYSIN.INFROM,  I,  J«l) 
else  APORTSIJ«l].SYSOUT.OUTTO  «=  MSGSEQO  fi 
H3.  SECURE(SECURITY[I],  SECURITY[J«1]) 

H4.  APORTSt J«  I I SYSOUT.OUTTO  • APORTS«ltJsl].SYSOUT.OUTTO 
H5.  APORTSel  [>1  J.SYSOUT.OUTTO  ff  MSGSEQ(FlRST(APORTS»l tlJ.SYSIN.BUFO)) 
• APORTSa2tJ«i  J.SYSOUT.OUTTO 
IMP 

Cl.  APORTStI] SYSIN INFROM  B MSGSEQ(FiRST(APORTS«Itl]SYSIN.BUFQ)) 

> MSGSEQO 

->  APORTS«2tJ«ll.SYSOUT  OUTTO  « MSGSEQO 
C2.  (not  APORTStOSYSIN.INFROM 

B MSGSEQ(FIRST(AP0RTS«1  tIJ.SYSIN.BUFQ)) 

- MSGSEQO) 

->  APORTS*2tJal  ISYSOUT.OUTTO 

sub  MAIL(APORTStl].SYSIN.INFROM,  I,  Jsl ) 

S MSGSEQ(FIRST(APORTS»  1 (IJ.SYSIN.BUFQ)) 


TAe  proof  of  this  theorem  requires  three  additional  lemmas. 

Prover->  Use  Lemwe 
Enter  lemma  . . . 


Lemma  added  ...  Its  name  is  LEMMAs4 
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Prov«r->  Uf  Lawwna 
Enter  l•mlna  . . . 

• all  A.B.CtMtaSeo.  A tub  B ->  AgC  tub  BffCt 
Lemma  added  ...  Its  name  it  LEMMA*5 


Prover->  Ute  Lemmaa3 


SWITCHERa4  proved  in  theorem  provar. 

Sucgett  proving  VC  caiied  SWiTCHER«5->  | 

Entering  Prover  with  verification  condition  SWITCHERaS 
HI:  alt  102  t INTEGER  [1..I00],  AP0RTS[I«2].SYSIN.0UTT0 

■ AP0RTS«III*2].SYSIN.0UTT0 
and  AP0RTS[I«2].SYS0UT.INFR0M 
= AP0RTS«ltl«2J.SYS0UT.INFR0M 
and  AP0RTS[lt2].SYS0UT.0UTT0 
- AP0RTS«l[l«21.SYS0UT.0UTT0 
and  ( I ne  1*2 

->  AP0RTStl"2I.SYSIN.INFR0M 
« AP0RTSal[lt2].SYSIN.INFR0M) 

H2t  allJol  t USERID,  (I  no  J«1  ->  APORTS[J«l].SYSIN.INFROM  > MSGSEQO) 
and  AP0RTS[J*1I.SYS0UT.0UTT0 

tub  SECUREMAIL(SECURITY[I],  SECURITY[J«I], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jtl)) 

H3:  APORTS[l].SYSIN.INFROM  B MSGSEQ(FIRST(APORTS«  1 [l].S YSIN.BUFQ)) 

- AP0RTS«1[I].SYSIN.INFR0M 
H4:  I - SOURCE(FIRST(APORTStl[l].S YSIN.BUFQ)) 

H5t  I > SOURCE(MS) 

H6:  SECURE(SECURtTY[l], 

SECURITY[DESTINATION(FIRST(APORTS«  1 (IJ.SYSIN.BUFQ))]) 

— > 

Cl:  all  Jol  I USERID,  (I  ne  >1  •>  APORTSa|[J«l].SYSIN.INFROM  - MSGSEQO) 
and  APORTS"  I (J"  1 J.SYSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[Jtl], 
MAIKAPORTSal  [l].SYSIN.INFROM,  I, 


L 


J«l)) 

The  scenario  for  this  proof  is  the  same  as  for  Switcher02.  The  orUy  additional 
property  required  in  the  proof  is  Lemmae). 


SWITCHER^S  proved  in  thoorom  provor. 

Sutc«*t  proving  VC  called  $WITCHERa6->  i 
Entering  Prover  with  verification  condition  SWITCHERaG 
Hli  alt  M t INTEGER  [I- 100],  AP0RTS[|a2].SYSIN.0UTT0 

« APORTS«l[la2].SYSIN.OUTTO 
and  AP0RTS[I«2].SYS0UT.INFR0M 
= APORTS«I[la2].SYSOUT.INFROM 
and  AP0RTSII«21.SYS0UT.0UTT0 
= AP0RTSalIla2].SYS0UT.0UTT0 
and  ( I no  Ia2 

->  AP0RTStla2].SYSIN.INFR0M 
= AP0RTS«ltl*2].SYSIN.INFR0M) 

H2t  all  >1  I USERID,  (I  no  Jal  ->  APORTStJall-SYSIN.INFROM  ■ MSGSEQO) 
and  APORTSI  J«  1 ].S  YSOUT.OUTTO 

cub  SECUREMAIL(SECURITY[I1,  SECURITYtJ-l], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  Jal)) 

H3i  AP0RTS[I1.SYSIN.INFR0M  B MSGSEQ(FIRST(APORTSai[l].SYSIN.BUFO)) 

> APORTSal[l].SYSIN.tNFROM 
H4t  I - SOURCE(FIRST(APORTSal[l].SYSIN.BUFQ)) 

HSs  I > SOURCE(MS) 

H6t  (not  SECURE(SECURITY[I}, 

SECURITYtDESTINATION(FIRST(APORTSaltl].SYSIN.BUF0))])) 

•“> 

Cl:  all  Jal  : USERID,  (I  no  Ja)  ->  APORTSal[Jal].SYSIN.INFROM  & MSGSEQO) 
and  APORTSal[Jal].S  YSOUT.OUTTO 

tub  SECUREMAIL(SECURITY[I],  SECURITY[JaI], 
MAIKAPORTSa  i [IJ.SYSIN.INFROM,  I, 

Jal)) 


( 

i 


I 


This  proof  is  also  done  like  Switchere2  and  uses  LemmaeS. 
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SWITCHERaS  proved  in  theorem  prover. 

Suggest  fully  defining  SECURE->  Print  Status  All 

The  current  design  end  verification  status  is: 

Waiting  for  pending  body  to  be  filled  in:  DESTINATION,  MAKEMSG,  SECURE, 

SOURCE 

Proved:  NETWORK,  SWITCHER 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 
INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Constsnts/Types:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSGOUTBUF, 
MSGBUF  ARRAY.  MSGSEQARRAY,  NUSERS,  SECURITY  ARRAY,  SECURITYCLASS, 
USERID,  USERPORT,  USERPORTARRAY 

Suggest  fully  defining  SECURE~>  Explain 


<-  What  are  the  effects  of  defining  the  body  of  Secure? 


No  effects. 


i: 

M 

i <-  Done 


Suggest  fully  defining  SECURE->  E^ 


Exec'->  Translate  Msa.Net 


function  Secure(sl,s2:SecurityClass):boolaan  ■ 
begin 

exit  Secure(sl,s2)  iff  si  le  s2; 

Result:^!  le  s2; 
end; 


L. 
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type  M*g<Sourc«, Destination, Text, MaK«Msg,MsfEq>  ■ 
record  ( SourcePart,OestPart  t Userid; 

TextPart  : MsgText 

); 

type  MsgText  ■ srray([l-l024])  of  charKter; 

function  Source(M:Msg):Usorld  ■ 
begin 

exit  Source(M)  in  [I..NUsert]  otherwise  routineerror; 
cexit  Source(M)  • M.SourcePart; 

Result  t«M.SourcePart; 
end; 

function  Destination(M:Msg)!Userld  ■ 
begin 

exit  Destination(M)  in  [l..NUsers]  otherwise  routineerror; 
cexit  Oestinalion(M)  ■ M.DesIPart; 

Result  :■  M.DesIPart; 

p function  Text(M:Msg):MsgTaxt  ■ 

[ begin 

( cexit  Text(M)  - M.TextParl; 

|t  Result  ;■  M.TexIPart; 

end; 

[ function  MaKeMsg(S,D  : Userid;  T : MsgText)  : Msg  ■ 

begin 

entry  S in  [I..NUsers]  and  D in  [i..NUsars]; 
cexit  MakeMsg(S,D,T)  ■ Msg(S,D,T); 

Result  ;■  Msg(S,D,T); 
end; 

function  MsgEq(MI,M2t  Msg):  boolean  ■ 
begin 

cexit  MsgEq(Ml,M2) 

iff  Ml.SourcePart  ■ M2.SourcePart 
and  Ml.DesIPart  ■ M2.DestPart 
and  Ml. TextPart  > M2.TaxtPart; 

Resutt:«MI  .SourcePart  ■ M2.SourcePart  and 
Ml.DesIPart  ■ M2.DestPart  and 
Ml. TextPart  > M2.TaxtPart; 

end; 


1 

i 
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No  syntax  arrort  datoctod.  j 

No  aamantic  arrora  datactad. 

I 

T Als  Implements  messages  and  the  functions  which  manipulate  them.  | 

EKae->  Print  Status  AH  I 


Tha  currant  dasign  and  varification  status  is:  I 

Waiting  for  VC  ganaration:  DESTINATION,  MSGEQ,  MAKEMSG,  SECURE,  SOURCE,  ] 

TEXT  ) 

Proved:  NETWORK,  SWITCHER  j 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE,  | 

INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL  1 

Constants/Typas:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSGOUTBUF, 

MSGBUFARRAY,  MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS,  j 

USERID,  USERPORT,  USERPORTARRAY  j 

i 

1 

1 

Exac->  Suggest 

The  suggestion  mechanism  carries  the  user  through  the  remainder  of  the 
verification.  Every  proof  is  automatic  and  requires  no  additional  information. 

Suggest  generating  VCs  tor  SECURE->  | 

Generating  VCs  for  FUNCTION  SECURE 

Found  1-ST  patt: 


Beginning  new  path... 

Assume  (unit  antry  condition) 
TRUE 

RESULT  :-  SI  la  S2 

Evaluating  SECURE(SI,  S2) 
Continuing  in  path... 
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Leaving  unit  SECURE 
ASSERT  RESULT  iff  SI  la  S2 


Must  verify  (unit  exit)  condition 
VC  it  trivially  TRUE 


End  of  path 


Suggest  generating  VCt  for  SOURCE->  | 
Generating  VCt  for  FUNCTION  SOURCE 
Found  1-ST  path 


Relate  Concrete  and  Abstract  Specs... 

Assume  (SOURCE  Concrete  exit) 
SOURCE(M)  ■ M.SOURCEPART 


Must  verify  (SOURCE  Abstract  exit)  condition 
Verification  condition  SOURCEal 
Hi!  SOURCE(M)  - M.SOURCEPART 
— > 

Cl:  TRUE 


Beginning  new  path... 

Astunte  (unit  entry  condition) 
TRUE 
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! 

i 

I 


i 

1 

i 

I 

I 

i 


RESULT  t-  M.SOURCEPART 

Evaluating  SOURCE(M) 

Continuing  in  path... 

Leaving  unit  SOURCE 

ASSERT  RESULT  - M.SOURCEPART 


Must  verify  (unit  exit)  condition 
VC  is  trivially  TRUE 


End  of  path 


Suggest  proving  VC  called  SOURCEal->  f 
Entering  Prover  with  verification  condition  SOURCE*  1 
Hit  SOURCE(M)  > M.SOURCEPART 
— > 

Clt  TRUE 

Backup  point 

(.) 

Prover->  iProceedine 

SOURCE*  1 proved  in  theorem  prover. 

Suggest  generating  VCs  for  DESTINATION'->  f 
Generating  VCs  for  FUNCTION  DESTINATION 
Found  I -ST  path 


Relat*  Concrete  and  Abstract  Specs... 


Assume  (DESTINATION  Concrete  exit) 
DESTINATK)N(M)  - M.DESTPART 
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Mutt  verify  (DESTINATION  Abstract  exit)  condition 
Verification  condition  DESTINATiONol 
HI:  DESTINATION(M)  > M.DESTPART 
— > 

Cl:  TRUE 


Assume  (unit  entry  condition) 
TRUE 

RESULT  M.DESTPART 

Evaluatinc  DESTINATION(M) 
Continuing  in  path... 

Leaving  unit  DESTINATION 
ASSERT  RESULT  > M.DESTPART 


Mutt  verify  (unit  exit)  condition 
VC  it  trivially  TRUE 


Suggest  proving  VC  called  DESTINATION*  l->  | 

Entering  Prover  with  verification  condition  DESTINATION*  1 
Hit  DESTINATION(M)  > M.DESTPART 
— > 

Cl:  TRUE 

Backup  point 

O 

Prever>>  iProceedine 


DESTINATION*  1 proved  In  theorem  prover. 


r f 


SuggMt  g«Mr*ting  VC«  for  TEXT->  | 
Gonorating  VCa  for  FUNCTION  TEXT 
Found  1-ST  path 


I 

Page  171  I 


11 


I 


! 

I 

! 


Rolato  Concrota  and  Abstract  Spacs... 

Assuma  (TEXT  Concrata  axit) 
TEXT(M)  • M.TEXTPART 


Mutt  varify  (TEXT  Abstract  axit)  condition 
Varification  condition  TEXTol 
HI  t TEXT(M}  • M.TEXTPART 
— > 

Clt  TRUE 


Baginning  naw  path... 

Assunta  (unit  antry  condition) 
TRUE 

RESULT  :»  M.TEXTPART 

Laaving  unit  TEXT 

ASSERT  RESULT  > M.TEXTPART 


Must  varify  (unit  axit)  condition 
VC  it  trivially  TRUE 


I 

1 


I 

I 


End  of  path 
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SugfMt  proving  VC  callod  TEXTol*>  | 

Entering  Provor  with  verification  condition  TEXTal 
Hit  TEXT(M)  > M.TEXTPART 
— > 

Cl  I TRUE 


Backup  point 

(.) 


Provor->  iProcoadine 
TEXTol  provod  in  thoorom  provor. 
Suggest  generating  VCa  for  MAKEMSG->  | 
Generating  VCa  for  FUNCTION  MAKEMSG 
Found  1>$T  path 


Relate  Concrete  and  Abstract  Specs... 


Assume  (MAKEMSG  Concrete  exit) 
MAKEMSG(S,  D,  T)  ■ M$G(S,  D,  T) 


Must  verify  (MAKEMSG  Abstract  exit)  condition 
Verification  condition  MAKEMSG*  1 
Hit  MAKEMSG(S,  D,  T)  - MSG(S,  D.  T) 

— > 

Clt  TRUE 


Beginning  new  paKt. 
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Atsum*  (unit  entry  condition) 

S in  [1..NUSERS]  and  D in  [1..NUSERS] 

RESULT  2-  MSG($,  D,  T) 

Leavinf  unit  MAKEMSG 
ASSERT  RESULT  • MSG(S,  D,  T) 

j|  

Must  verify  (unit  exit)  condition 
‘{  VC  ia  trivially  TRUE 


End  of  path 


Suggest  proving  VC  called  MAKEMSGal->  | 

Entering  Prover  with  verification  condition  MAKEMSG*  1 
HI  t MAKEMSG(S,  D,  T)  > MSG(S,  D,  T) 

— > 

Cl:  TRUE 
Backup  point 

O 

Prov*r->  tProceedina 
MAKEMS(Sal  proved  in  theorem  prover. 

Suggest  generating  VC*  for  MSGEQ->  f 
^ ! Generating  VC*  for  FUNCTION  MSGEQ 

I , Found  l-ST  path 


Relate  0>ncrete  and  Abstract  Specs... 
Assume  (MSGEQ  Concrete  exit) 
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Must  verify  (MSGEQ  Abstract  exit)  condition 
Vorifkation  condition  MSGEQ*  1 
Hit  MSGEQ(M1,M2) 

iff  Ml  .SOURCEPART  - M2.S0URCEPART  and  Ml .DESTPART  > M2.DESTPART 
and  Ml.TEXTPART  > M2.TEXTPART 

— > 

Clt  TRUE 


Boginning  now  path. 


Assunto  (unit  ontry  condition) 

TRUE 

RESULT  t-  Ml  .SOURCEPART  - M2.S0URCEPART  and  Ml. DESTPART  > M2.DESTPART 
and  Ml.TEXTPART  > M2.TEXTPART 
Leaving  unit  MSGEQ 
ASSERT  RESULT 

iff  Ml  SOURCEPART  > M2.S0URCEPART  and  Ml  DESTPART  > M2.DESTPART 
and  Ml.TEXTPART  > M2.TEXTPART 


Must  verify  (unit  exit)  condition 
VC  is  trivially  TRUE 


End  of  path 


Suggest  proving  VC  called  MSGEQ*I*’>  | 

Entering  Prover  with  verifkation  condition  MSGEQ*  1 
Hit  MSGEQ(M1,M2) 

Iff  M 1 .SOURCEPART  > M2.S0URCEPART  and  M I .DESTPART  • M2.DESTPART 

and  Ml.TEXTPART  - M2.TEXTPART 

— > 

Clt  TRUE 


Dachup  point 
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i 

I 

I Prov«r->  tPreceedina 

; MSGEQal  proved  in  theorem  prover. 

I Suggest  one  of: 

I <esc>  TRANSLATE  (from  file) 

SAVE  (problem  on  file) 

i 

» 

->  Print  Status  All 

The  current  design  and  verification  status  is: 

Proved:  DESTINATION,  MSGEQ,  MAKEMSG,  NETWORK,  SECURE,  SOURCE,  SWITCHER, 

TEXT 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 

INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Constants/Types:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSGOUTBUF, 

I MSGBUF ARRAY,  MSGSEQARRAY,  NUSERS,  SECURITYARRAY,  SECURITYCLASS, 

I USERID,  USERPORT,  USERPORTARRAY 

1 

I As  indicated  by  the  status  summary,  the  design  and  verification  of  the  network 

is  complete.  The  final  version  of  all  network  programs  and  their 
j specifications  are  displayed  below. 

i 

I Suggest  one  of: 

I <esc>  TRANSLATE  (from  file) 

SAVE  (problem  on  file) 

->  Print  Unit  Alphabetical 

Units  are  printed  alphabetically  by  name. 

function  ALLSECUREMAILFOR(A  : USERPORTARRAY;  J : INTEGER;  S : SECURITYARRAY) 

: MSGSEQARRAY  • 

begin 

exit 

(assume  all  1 1 USERID,  ALLSECUREMAILFOR(A,  J,  S){l] 

■ SECUREMAIL(S[I],  S[J], 

MAIL(A[l].SYSIN.INFROM,  I,  J))); 

end; 


(unction  ARRAYTOBAG(A  t MSGSEQARRAY;  I,  J : USERID) : BAGMSGSEQ 
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begin 

•nd; 

type  BAGMSGSEQ  - bag  of  MSGSEQ; 

function  DESTINATION(M  t MSG) : USERID  - 
begin 

exit  DESTINATK)N(M)  in  [I..NUSERS]  otherwise  ROUTINEERROR; 
cexit  DESTINATION(M)  > M.OESTPART; 

RESULT  :•  M.DESTPART 
end; 

function  INPROM\ARRAYTOBAG(A  t MSGBUFARRAY;  I,  J x USERID)  t BAGMSGSEQ  > 

begin 

end; 

function  ISSUBMERGEtS  t MSGSEQ;  A t MSGSEQARRAY)  t BOaEAN  - 
begin 
exit 

(etaume  ISSUBMERGEfS,  A) 

iff  (tome  X t MSGSEQ,  ISMERGEfX,  ARRAYTOBAG(A,  1.  NUSERS)) 
and  S sub  X)); 

end; 

function  MAIKMS  t MSGSEQ;  I,  J t USERID)  t MSGSEQ  - 
begin 
exit 

(assume  MAIL(MS,  I,  J) 

> H MS  - MSGSEQO  then  MSGSEQO 
else  H SOURCEaAST(MS))  « I 

and  DESTINATION(LAST(MS))  * J 
then  MAIL(NONLAST(MS),  I,  J) 

■ MSGSEQ(LAST(MS)) 
else  MAIL(NONLAST(MS),  I,  J)  fi  fi); 

end; 

function  MAKEMSGfS,  D : USERID;  T : MSGTEXT) : MSG  > 
begin 

entry  S in  [I  . NUSERS]  and  D in  [I  . NUSERS]; 
cexit  MAKEMSG(S,  D.  T)  - MSG(S.  D,  T); 

RESULT  t-  MSG(S,  D,  T) 
end; 
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type  MSG  <SOURCE,  DESTINATION,  TEXT,  MAKEMSG,  MSGEQ>  - 
record 

(SOURCEPART,  DESTPART  : USERID; 

TEXTPART  : MSGTEXT); 

type  MSGBUF ARRAY  - array  (USERID)  of  MSGOUTBUF; 

function  MSGEQ(M1,  M2  : MSG)  : BOOLEAN  ■ 
begin 

cexit  MSGEQ(M1,  M2) 

iff  Ml  .SOURCEPART  > M2.SOURCEPART  and  Ml  .DESTPART  - M2.DESTPART 
and  Ml. TEXTPART  « M2.TEXTPART; 

RESULT  :>  Ml  .SOURCEPART  « M2.SOURCEPART  and  Ml  .DESTPART  > M2.DESTPART 
and  Ml. TEXTPART  > M2.TEXTPART 

end; 

type  MSGINBUF  > buffer  (1)  of  MSG; 

type  MSGOUTBUF  > buffer  (NUSERS)  of  MSG; 

type  MSGSEQ  ■ aequence  of  MSG; 

type  MSGSEQARRAY  ■ array  (USERID)  of  MSGSEQ; 

type  MSGTEXT  > array  ( [1..1024])  of  CHARACTER; 

procesa  NETWORK(var  AUSERPORT  : USERPORTARRAY;  SECURITY  t SECURITYARRAY)  - 
begin 

block  all  J t USERID,  ISSUBMERGE(AUSERPORT[J].SYSOUT.OUTTO, 

ALLSECUREMAILFOR(AUSERPORT,  J,  SECURITY)); 

cobegin 

SWITCHERd,  AUSERPORT,  SECURITY)  eKh  It  [I.. NUSERS] 
end 
end; 

const  NUSERS  - 100; 

function  OUTTO\ARRAYTOBAG(A  t MSGBUFARRAY;  I,  J : USERID)  t BAGMSGSEQ  > 

begin 

end; 


function  SECURE(S1,  S2  t SECURITYCLASS) : BOOLEAN 
begin 


function  SECUREMAILfSI,  S2  t SECURiTYCLASS;  MS  i MSGSEQ)  t MSGSEQ  > 
bogin 
•xit 

(astumo  SECUREMAIKS 1 , S2,  MS) 

• if  SECUREfSl,  S2)  then  MS  else  MSGSEQO  fi); 

end; 


type  SECURITY  ARRAY  - array  ( [1..NUSERS])  of  SECURITYCLASS; 

type  SECURITYCLASS  - (UNCLASSIFIED,  CONFIDENTIAL,  SECRET,  TOPSECRET)) 

function  SOURCE(M  t MSG) : USERID  - 
begin 

exit  SOURCE(M)  in  [1..NUSERS]  otherwise  ROUTINEERROR; 
cexit  SOURCE(M)  > M.SOURCEPART; 

RESULT  t-  M.SOURCEPART 
end; 

process  SWITCHERd  t USERID;  var  APORTS  : USERPORTARRAY; 

SECURITY  : SECURITYARRAY)  • 

begin 

entry  I in  [I..NUSERS]; 

block  all  J t USERID,  APORTS[J].SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTStl].SYSIN.INFROM,  I,  J)) 
and  (J  ne  I ->  APORTS[J].SYSIN.INFROM  ■ MSGSEQO); 
var  MS  t MSG  t>  MAKEMSGd,  I,  MSGTEXTO); 

Keep 

(assume  SOURCE(MS)  > I); 
loop 

asseH  all  >1  t USERID,  APORTS[Jsl].SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY! Je I], 
MAIL(APORTS[l].SYSIN.INFROM,  I, 

J«l)) 

and  ( Jal  ne  I 

->  APORTS[Jel].SYSIN.INFROM  - MSGSEQO); 

begin 

receive  MS  from  APORTS[l].SYSIN; 
if  SECURE(SECURITY[I],  SECURITY[DESTINATION(MS)]) 


th*n  Mfid  M$  to  APORTS[DESTINATION(MS)].$Y$OUT 
•nd 
whan 

It  RECEIVEERROR  t ; 
it  SENDERROR  t ; 

•nd 

•nd 

•nd; 


function  TEXT(M  t MSG) : MSGTEXT  ■ 
basin 

caxit  TEXT(M)  > M.TEXTPART} 

RESULT  M.TEXTPART 
•nd; 

typn  USERID  ■ INTEGER  [I..NUSERS]; 

typn  USERPORT  > racord 

(SYSIN  tMSGINBUF; 

SYSOUT  ! MSGOUTBUF); 

typa  USERPORTARRAY  ■ array  (USERID)  of  USERPORT; 

Suggott  ono  of: 

<osc>  TRANSLATE  (from  filo) 

SAVE  (problom  on  filo) 

->  Print  Lomma  All 


LEMMAal  it 
all  A t MSGBUFARRAY, 
all  B ! MSGSEQARRAY, 
all  X t MSGSEQ, 

ISMERGE(X,  OUTTO\ARRAYTOBAG(A,  1,  NUSERS)) 
and  (all  K t USERID,  A[K].OUTTO  cub  B[K]) 

•>  (como  Y t MSGSEQ,  ISMERGE(Y,  ARRAYTOBAG(B,  1,  NUSERS)) 
and  X cub  Y) 

LEMMA02  it 

all  Aal  t MSGBUFARRAY, 
all  loS  t USERID, 
all  Xol  t MSGSEQ, 
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(all  >1  : USERID,  Ia5  na  Jal  •>  Aa|[Jal].INFR0M  > MSGSEQO) 
and  ISMERGEOCal.  INFROM\ARRAYTOBAG(Aal,  I,  NUSERS)) 

.>  Xal  • Aal[|a5].INFR0M 

LEMMAa3  it 
all  A.  B : MSGSEQ, 
all  C t MSG, 
all  K,  L t USERID, 

all  SI,  S2  t SECURITYCLASS,  A 

sub  SECUREMAIKSl,  S2, 

MAIL(B,  K,  D) 

->  A 

sub  SECUREMAIL(SI,S2, 

MAIL(B  B MSGSEQ(C), 

K,  D) 

LEMMAaA  is 

all  Aal  t MSGSEQ,  all  M t MSG,  Aal  a MSGSEQ(M)  na  MSGSEQO 
LEMMAaS  is 

all  Aa2,  Bal,  Cal  t MSGSEQ,  Aa2  sub  Bal  Aa2BCal  sub  BalsCal 

These  are  all  the  lemmas  used  in  the  verification  of  the  network. 

Suggest  on#  of: 

<osc>  TRANSLATE  (from  file) 

SAVE  (problem  on  file) 

S/D  is  useful  not  only  during  a design  and  verification,  but  also  afterwards 
as  a maintenance  tool.  Without  a facility  like  SID,  determining  the  potential 
effects  of  changes  to  a fairly  large,  complex,  and  interrelated  collection  of 
data  is  a formidable  task.  The  following  is  a further  illustration  of  how  SID 
is  even  more  essential  as  the  amount  of  data  grows. 

->  Explain 


<-  What  arm  the  ettects  of  changine  the  header  of  SecureMailT 


Possible  effects  of  changing  the  header  of  SECUREMAIL  are: 

Incorrect  semantics:  ALLSECUREMAILFOR,  LEMMAsS,  SWITCHER,  SECUREMAIL 
Invalid  verification:  NETWORK,  SWITCHER 
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Incorrect  comanllct  bocauso  calls  to  SECUREMAIL  may  becomo  inconsislont.  Invalid 
vorification  bocauso  tho  oxtornal  cpecificalions  of  ALLSECUREMAILFORi  which  call 
SECUREMAIL,  woro  usod  in  proving  NETWORK*  1.  Invalid  verification  because  the 
external  specifications  of  SWITCHER,  which  call  SECUREMAIL,  were  used  in  proving 
NETWORK*  1.  Invalid  verification  because  the  external  specifications  of 
SECUREMAIL,  which  recursively  call  SECUREMAIL,  were  used  in  proving  SWITCHER*4. 
Invalid  vorification  because  basis  property  LEMMA*3,  which  calls  SECUREMAIL,  we* 
used  in  proving  SWITCHER*2,  SWITCHER*4,  SWiTCHER*5,  and  SWITCHEReS. 


<-  What  are  the  effects  of  changing  the  block  specification  of  Switcher? 

Changing  the  block  specification  of  SWITCHER  does  not  affect  SWITCHER  If  the 
formula 

HI  t all  J t USERID,  APORTS[J].SYSOUT.OUTTO 

cub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 
and  (J  ne  I ->  APORTS[J].SYSIN.INFROM  ■ MSGSEQO) 

— > 

Changed  block  specification 

is  true.  If  not,  some  of  SWITCHER’S  VCs  are  incorrect.  The  verification  of  other 
progranw  Is  not  affected  if  the  formula 
Changed  block  specification 
— > 

Cl  t all  J I USERID,  APORTStJJ.SYSOUT.OUTTO 

sub  SECUREMAIL(SECURITY[I],  SECURITY[J], 

MAIL(APORTS[l].SYSIN.INFROM,  I,  J)) 
and  (J  ne  I ->  APORTS[J].SYSIN.INFROM  > MSGSEQO) 
is  true.  If  not,  the  change  invalidates  the  verification  of  NETWORK. 


<-  Why? 

The  effects  on  SWITCHER  are  a change  in  its  VCs.  Invalid  verification  because 
the  block  specification  of  SWITCHER  was  usod  in  proving  NETWORK*!. 


<-  What  are  the  effects  of  modifvint  Lemma*3T 

Changing  basis  property  LEMMA*3  does  not  affect  the  verification  If 
Changed  lemma 
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Cli  all  A,  B t MSGSEQ, 
all  C s MSG, 
all  K,  L i USERID, 

all  SI,  S2  i SECURITYCLASS,  A 

sub  SECUREMAIKSl,  S2, 

MAIL(B,  K,  D) 

->  A 

sub  SECUREMAIKSI,  S2, 

MAIL(B  e MSGSEQ(C), 
K,  D) 

is  triM.  If  not,  Iho  chanfo  Invalidatas  tha  varilication  of  SWITCHER. 


<-  Why? 

Bacausa  it  was  usad  In  tha  proof  of  SWITCHERa2,  SWITCHER«4,  SWITCHERaS,  and 
SWITCHERae. 


<-  Dona 


Suggast  ona  of: 

<asc>  TRANSLATE  (from  fila) 
SAVE  (problam  on  fila) 

->  Prova  LammaaS 


In  the  above  dialog,  the  user  satv  that  several  proofs  depend  upon  LemmaaS. 
So  he  directs  SID  to  attempt  its  proof. 

Entaring  Provar  with  basis  proparty  LEMMAoS 
all  A,  B t MSGSEQ, 
all  C t MSG, 
all  K,  L i USERID, 

all  SI,  S2  t SECURITYCLASS,  A 

sub  SECUREMAIL(S1,  S2,  MAIL(B,  K,  L)) 

->  A 

sub  SECUREMAIL(S1,  S2, 


MAIL(B  a MSGSEQ(C),  K, 
D) 
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This  proof  requires  the  definitions  of  Mall,  SecureMaU,  and  a new  lemma. 


i 


i 
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LEMMA«3  proved  in  thoorom  provor. 

Sugfost  ono  of: 

<osc>  TRANSLATE  (from  filo) 

SAVE  (problem  on  file) 

->  Print  Sfafw  All 

The  current  design  and  verification  status  is: 

Proved:  DESTINATION,  LEMMAa3,  MSGEQ,  MAKEMSG,  NETWORK,  SECURE,  SOURCE, 
SWITCHER,  TEXT 

For  specifications  only:  ARRAYTOBAG,  ALLSECUREMAILFOR,  ISSUBMERGE, 
INFROM\ARRAYTOBAG,  MAIL,  OUTTO\ARRAYTOBAG,  SECUREMAIL 
Constants/Types:  BAGMSGSEQ,  MSG,  MSGSEQ,  MSGTEXT,  MSGINBUF,  MSGOUTBUF, 
MSGBUFARRAY,  MSGSEQARRAY,  NUSERS,  SECURITY  ARRAY,  SECURITYCLASS, 
USERID,  USERPORT,  USERPORTARRAY 
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Suggest  one  of: 

<esc>  TRANSLATE  (from  file) 

SAVE  (problem  on  file) 

->  Print  Lemma  LemmaaS 
LEMMAae  is 

all  X,  V,  Z : MSGSEQ,  X sub  Y ->  X sub  YbZ 

This  Is  the  lemma  used  in  the  proof  of  LemmaeS. 

Suggest  one  of: 

<esc>  TRANSLATE  (from  file) 

SAVE  (problem  on  file) 

->  Save  Net.Dmo 


That’s  all,  folks/ 
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